Cyber catastrophe events: Seeking solutions for unknown unknowns

Business and insurance sector leaders are rightly concerned about the prospect of a catastrophic cyber event – but, with a truly systemic cyber disaster yet to occur, how can the industry model and cover the risk? Simon Heather explores the issues.

Cyber insurance is a fast-evolving, rapidly growing market, but it has never had to deal with a truly systemic catastrophe. In contrast to the natural catastrophe market, where disasters such as hurricanes, wildfires, tornadoes and floods are a regular occurrence, this makes a cyber cat event inherently more difficult to model and price.

In short, the industry is hampered by a lack of tangible scenario data points, inconsistent or non-existent cyber catastrophe claims coding frameworks and an overarching high level of uncertainty.

Cyber status quo

In reality, cyber modelling remains in relative infancy, and there is substantial variance in the modelling of larger scenarios – something which does not inspire confidence among capital providers. The (re)insurance sector has responded to this by working hard to manage its exposures through appetite, pricing, tighter wordings and exclusions.

Meanwhile, demand for cyber insurance continues to grow and, following triple-digit rate rises in the past three years, insurers can have more confidence that they are pricing the risk correctly. But while the supply of capital is increasing in parts of the market, there remains a reluctance from capital providers to offer cost-effective and systemic solutions that address carriers’ fear of the unknown.

Cat characteristics

The biggest problem for the industry is that it has never really experienced a truly systemic cyber disaster. This means that there is no universally accepted definition for what might cause one, or what form it might take. This ultimately means that there is no industry consensus on modelling the risks.

This makes for a stark contrast with natural catastrophes, such as hurricanes or earthquakes, where risks are much better known and modelled. And it creates a particular challenge for insurers in securing reinsurance capacity, as capital providers in that market are grappling with the same uncertainty.

A shared understanding of what a cyber catastrophe could look like would be a useful starting point. And this, in turn, needs to be translated into consistent claims reporting frameworks. Gallagher Re’s own development of in-house ‘Cyber Cat’ wordings to cover the two broad types of aggregating language has had success in attracting and retaining capacity in both the traditional and alternative markets.

Causes and consequences

Rather than nation-state or organised criminal perpetrators, the most likely origin of a systemic cyber event is an accident, an unintended consequence of a smaller event, or a combination of two apparently unconnected events. These might include a piece of malware that proliferates out of control or the failure of a widely used free data service, which has unexpected knock-on effects.

This makes these events truly unanticipated and inherently hard to model – again contrasting with weather-related risks such as hurricanes. A cyber cat could be something the industry has never seen before – challenging the assumptions of actuaries, modellers and cybersecurity teams alike.

But while the origin story of a cyber catastrophe event remains vague and hypothetical, there’s greater agreement on what could turn a known and manageable problem into a catastrophe.

For an event to threaten the system, it either has to knock out one of the internet’s crucial pieces of centralised infrastructure or go uncontrollably viral. For example, a mass prolonged cloud outage rendering huge swathes of the business world inoperable or a new virulent strain of malware with unexpected vulnerabilities in widely used software a related risk.

Cyber modelling challenges

The divergence of existing cyber model output and thus wide range of uncertainty in this peril is but one area of difficulty when it comes to quantifying cyber cat exposure. The other lies in key differences to the progenitor of cyber cat modelling – natural catastrophe modelling.

Nat cat models have the distinct advantage that their perils follow defined scientific laws with standardised scales of magnitude and intensity. Everyone can agree what a Category 5 hurricane looks like and can gather plenty of empirical data about characteristics such as peak wind speeds, pressure, tracks and genesis. The same isn’t true of a cyber event.

We’ve no classification of event magnitude that is independent of loss impact, no real agreement on what a cat event looks like and there are no standard features of all cyber events.

This means that each model vendor must rely on their own event classification, which often leads to broad differences in model frameworks and outputs.

While we will likely see some convergence in cyber modelling, or at least a reduction in divergence, this is not a given – and one of the reasons we can’t guarantee convergence is the ‘unknown unknowns’. Every time a new piece of software comes out there are new unknown unknowns. It’s an irreducible uncertainty. There is much less of this type of uncertainty in nat cats, which allows for more model convergence.

The way forward

In a young market with less loss experience to draw upon, greater disclosure and transparency among the cyber community would be welcomed by the (re)insurance industry. The current regulatory environment tends to compel organisations to disclose only when they have fallen victim to a data breach. However, the focus for disclosure should not solely be on successful attacks – there is real value in being open about near misses as well.

With greater disclosure and sharing of data, more effective models and a larger body of data residing outside the models will come. More granular data may also help the insurance industry better characterise the different cyber cat risks facing different parts of the market, diversifying modelling on the basis of policyholder size for example.

Cyber demands a new approach not wholly based on established practices, an approach that dislocates cyber from the familiarity of natural catastrophe model frameworks. Consider the key differences: the duration of a cyber cat may be much longer and its behaviour much less predictable. Cyber is also a class in which the policyholder’s behaviour has a far greater impact on the nature of their risk. Faced with a hurricane, a property owner cannot move the property out of the path of the storm. But a chief information security officer can effectively isolate their business from an emerging threat.

Ultimately, while model providers are investing in improving their capabilities, the (re)insurance industry will require more and better data from insured clients on their cyber vulnerabilities and loss experience to improve both models and, in turn, pricing. This may enable more granular coverage. For example, by differentiating between large corporations and smaller companies, with the former vulnerable to targeted attacks while the latter want to insure their exposure to a longer-tail, system-wide event.

Simon Heather is head of cyber catastrophe modelling at Gallagher Re

The above is an excerpt from Gallagher Re’s recent paper ‘The Risk of a Cyber Catastrophe’ – the third in its ‘Gray Rhino’ series, designed to raise awareness of various insurance industry challenges before a major event occurs, which was originally published on 10 October 2023. For the full paper, please visit: Cyber Catastrophe – Solving for insurers’ fear of the unknown