Guy Carpenter and CyberCube Report Reveals Potential Impact of Cyber Catastrophe Scenarios on U.S. Cyber Insurance Industry
NEW YORK AND LONDON, September 05, 2019 – Guy Carpenter & Company, LLC, a leading global risk and reinsurance specialist and a wholly owned subsidiary of Marsh & McLennan Companies (NYSE: MMC), and CyberCube Analytics, a market-leading cyber analytics platform, today released the findings of a joint report that explores the size and shape of potential cyber catastrophes and the resulting financial impact on the U.S. cyber insurance market.
The report, “Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study,” examined some of the key drivers of cyber catastrophe scenarios and provided a data-driven view on the potential insured loss figures for the standalone cyber insurance market. It also highlighted particular vulnerabilities that could be exploited to execute a cyberattack and explored the volatility around the frequency and severity of those attacks.
The industry-wide analysis was based on a synthetic USD 2.6 billion portfolio constructed using anonymized cyber insurance policy characteristics. This was extrapolated to provide a broad representation of the U.S. standalone cyber insurance market. This data, plus additional cyber security information and analytics, allowed CyberCube Analytics to create a series of realistic catastrophe scenario narratives and apply frequencies and severities to them to build a probabilistic model.
Key Findings
From a total of 23 catastrophe loss scenarios analyzed, ranging from attacks on critical infrastructure to breaches affecting the cloud environment, the study revealed that the highest potential loss value generators were:
- Long-lasting outage at a leading cloud service provider – USD 14.3 billion loss
- Large-scale cloud ransomware at a leading cloud services provider – USD 11.5 billion loss
- Widespread data loss from a leading operating system provider – USD 23.8 billion loss
- Widespread theft from a major e-mail service provider – USD 19.1 billion loss
- Large-scale data loss from a cloud service provider – USD 22.2 billion loss
For each of these scenarios, the analysis considered the size of loss, single point of failure (SPOF) targeted to execute the attack and the implications of these findings for the (re)insurance market.
While the study showed that widespread data loss from a leading operating system provider was the costliest cyber catastrophe scenario modeled, it also revealed that the likelihood of this occurring was the lowest – beyond the 1-in-300-year return period.
According to the findings, the total annual cyber catastrophe insured loss figure for a 1-in-100-year return period was USD 14.6 billion, rising to USD 16.1 billion for a 1-in-200-year event. Furthermore, the most likely catastrophe loss scenario was widespread data theft from a major email service provider. Large-scale ransomware at a leading cloud service provider was the second most likely scenario.
While the cost components of each scenario varied, the study showed that business interruption (BI) costs, caused when supply chains stall or factories are offline, featured heavily in the insured loss figures. For example, BI made up 94.4 percent of the insured costs associated with a widespread data loss from a leading operating system, while the figure was 92 percent for a long-lasting outage at a leading cloud service provider.
The study also revealed that on an industry basis, financial firms were most impacted during these systemic events, accounting for over 20 percent of the overall insured loss. This accumulation of insured loss among financial firms was reflective of the buying patterns of this sector. The companies also represented potentially more lucrative targets for cyber criminals.
Commenting on the report, Robert Bentley, CEO, Global Strategic Advisory at Guy Carpenter, said: “As the cyber market continues to expand, the (re)insurance industry must develop a much more granular understanding of the potential impact of systemic events. More work similar to that which we have carried out with CyberCube Analytics needs to be undertaken to help (re)insurers make sound and informed risk tolerance decisions and help create a cyber market sufficiently robust to withstand these catastrophic events. With the unique capabilities of Guy Carpenter’s Cyber Centre of Excellence, we are positioned to help our clients gain that heightened level of insight into this constantly evolving threat landscape by combining market-leading product expertise with a data-driven approach.”
Pascal Milliare, CEO at CyberCube Analytics, added: “Through improved data and enhanced analytics, (re)insurers can gain a much more granular understanding of these high-impact scenarios, enabling them to allocate capital appropriately and develop more nuanced underwriting strategies. Through collaborating with the industry, our aim is to cultivate that more sophisticated view of the loss potential posed by cyber through pooling data resources and analytical capabilities. Only by adopting a robust, modeled, forward-looking view of cyber catastrophe risk can we ensure the ongoing development of a sustainable and profitable cyber insurance market.”
The full report, “Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study,” is available to download at: guycarp.com
Note: The study reflected the impact of catastrophic losses on an insured portfolio. Catastrophic loss is defined as a cybersecurity failure at a SPOF causing losses to occur at multiple other companies. The severity of the losses discovered in the research was based on the insurance limits purchased by the insured entities.
About Guy Carpenter
Guy Carpenter & Company, LLC is a leading global risk and reinsurance specialist with more than 3,100 professionals in over 60 offices around the world. Guy Carpenter delivers a powerful combination of broking expertise, trusted strategic advisory services and industry-leading analytics to help clients adapt to emerging opportunities and achieve profitable growth. Guy Carpenter is a wholly owned subsidiary of Marsh & McLennan Companies (NYSE: MMC), the world’s leading professional services firm in the areas of risk, strategy and people. The company’s 76,000 colleagues advise clients in over 130 countries. With annualized revenue approaching $17 billion, Marsh & McLennan helps clients navigate an increasingly dynamic and complex environment through four market-leading companies including Marsh, Mercer and Oliver Wyman. For more information, visit www.guycarp.com and Guy Carpenter on Twitter @GuyCarpenter.
About CyberCube
CyberCube delivers the world’s leading cyber risk analytics for the insurance industry. With best-in-class data access and advanced multidisciplinary analytics, the company’s Software as a Service platform helps insurance companies make better decisions when underwriting cyber risk and managing cyber risk aggregation. CyberCube’s enterprise intelligence layer provides insights on millions of companies globally and includes modeling on over one thousand single points of technology failure.
The CyberCube platform was established in 2015 within Symantec, the global leader in cybersecurity, and now operates as a standalone company exclusively focused on the insurance industry, with continued access to Symantec data and resources and backing from ForgePoint Capital. For more information, please visit www.cybcube.com or email info@cybcube.com.
Contacts
Edward Dixon
Guy Carpenter
1.917.937.3118
edward.dixon@guycarp.com
Jennifer Ainslie
Guy Carpenter
44.20.7357.2058
jennifer.ainslie@guycarp.com
Yvette Essen
CyberCube Analytics
44.(0).7956.877.206
yvettee@cybcube.com