Guy Carpenter & CyberCube: research on improving cyber cat data

It is essential to develop a deep understanding of the characteristics of cyber catastrophe events and the financial impact they could have on the standalone cyber insurance market as it exists today. As the industry seeks to reduce protection gaps and drive cyber product adoption, the resulting future growth will help develop a robust market better equipped to absorb the potential for large-scale losses.

With that premise in mind, CyberCube Analytics, a ForgePoint Capital portfolio company, and Guy Carpenter, a wholly-owned subsidiary of Marsh McLennan Companies, have collaborated to help re/insurers quantify cyber risk by pooling data resources and analytics capabilities to cultivate a view of the potential US cyber industry loss from a range of different cyber catastrophe scenarios.

The study highlights five key considerations for re/insurers and other stakeholders to help protect profitability and examine capital adequacy of the existing US cyber standalone insurance industry.

For the purposes of this study, Guy Carpenter applied CyberCube’s aggregation modelling software, Portfolio Manager, to the Guy Carpenter synthetic portfolio. Portfolio Manager includes 23 modelled systemic, catastrophic scenario classes, ranging from attacks on critical infrastructure to third-party technology aggregation scenarios to attacks that affect the cloud environment.

We focused on the five that drive the highest loss values. For each, we considered the size of the loss, the single point of failure (SPOF) targeted to execute the attack and the implications of these findings on the insurance market.

Cyber: The facts and figures

The five that stood out as having the most potential to cause loss either at the mean or in an extreme event based on the synthetic US portfolio are:

Insurance companies and the organisations they insure need to be aware of these major scenarios, and understand the response plans necessary and the potential financial losses in each of these scenarios. The industry must invest in effectively assessing and managing aggregations, educating the business community to drive product adoption and quantifying cyber risk to promote the purchase of adequate insurance limits.

By understanding risk tolerance and capital commitment, primary carriers can also ensure that they have purchased enough reinsurance capacity in a structure that best protects against these events. We explore the study’s findings in the context of helping re/insurers investigate portfolio construction, risk retention and transfer strategies, capital allocation—and how robust modelling and analytics can inform these strategies.

Growing pains: the catalyst for the study
To enable this industry-wide analysis, a synthetic $2.6 billion portfolio was constructed using anonymised cyber insurance policy characteristics. The portfolio was built by extrapolating from these characteristics to create an amalgamation of risks representative of the standalone US cyber insurance market. This portfolio was then stress-tested using a number of cyber catastrophe scenarios on CyberCube’s analytics platform.

This study reflected the impact of catastrophic losses on an insured portfolio. Catastrophic loss is defined as a cybersecurity failure at a SPOF, causing losses to occur at multiple other companies. The severity of the losses discovered in the research was based on the insurance limits purchased by the insured entities. The study’s intent was to provide a realistic reflection of the potential losses that the US cyber insurance market could face today, rather than of the economic losses or estimates of possible application of non-affirmative cover.

The synthetic portfolio that Guy Carpenter created was broadly representative of the US standalone cyber insurance market. As the market-leading cyber reinsurance broker, Guy Carpenter is uniquely positioned to apply its knowledge of the market landscape to create a synthetic portfolio.

CyberCube had access to security data from both inside and outside the firewall, with exclusive access to telemetry from cybersecurity firm Symantec, and other data partners. This data and additional analytics allowed CyberCube to create realistic catastrophe scenario narratives and apply frequencies and severities to them to build a probabilistic model.

Scenario narratives
SPOFs that could lead to the costliest losses include operating systems providers; email service providers; cloud service providers; and critical utilities providers. These serve as points of aggregation, thus enabling a systemic loss in the event of cybersecurity failure.

The costliest cyber catastrophe scenario modelled was widespread data loss due to zero-day vulnerabilities—or unprecedented forms of cyber attack—within a leading operating system, causing a $23.8 billion insured loss. The probability of this is less likely than the 1-in-300-year return period.

Out of the five major scenarios considered in the research, the most likely cyber catastrophe loss scenario was widespread data theft from a major email service provider. Large-scale ransomware at a leading cloud services provider was the second most likely scenario.

Of the 23 scenarios considered in this study, “Widespread Data Theft from a Leading Email Services Provider” and “Widespread Data Loss from a Leading Operating Systems Provider” rank in the top four for both AAL and maximum insured loss (Table 1).

Cost components of each of these scenarios vary but business interruption (BI) costs, arising from stalled supply chains or factories offline, feature heavily in the catastrophe costs.

Scenario: Long-lasting outage at a leading cloud service provider

The model showed that a long-lasting outage from a leading cloud service provider could trigger an insured loss of $14.3 billion. The outage time in this scenario ranges on a scale of days to weeks, depending on the redundancies and resiliencies of individual companies.

A major cloud service provider (CSP) with significant market share operates globally with many regional hubs and data centres in the US and other hubs worldwide, to serve its international client base. In this scenario, a disgruntled employee of the cloud service provider releases malware. The primary goal is to compromise targeted system availability for as long as possible, triggering short-term economic losses and diminishing confidence in cloud solutions. The malware then infects the system and causes a service outage and ensuing BI.

Cost components
By far the largest component of the insured loss would be BI costs of $13.1 billion—92 percent of the entire insurance cost related to the incident (Figure 1).

Scenario: Large-scale cloud ransomware at a leading cloud services provider

A large-scale ransomware attack at a leading cloud services provider would trigger insured losses of $11.5 billion.

A group of cyber criminals targets a major cloud data storage company and encrypts all data using malware. The primary goal is to get the company to pay a ransom in exchange for the attackers providing decryption keys to unlock critical data, triggering short-term economic losses and showcasing the technical capability of the attackers.

During the attack, all data stored on the cloud is locked, which may take days if not weeks or more, to be restored. In some extreme cases, some data may be permanently lost. System shutdown leads to losses from BI/contingent BI and massive operational disruptions.

The probability of cloud service providers falling victim to a ransomware attack is much higher than that of a cloud outage. Cloud service providers would appear to be more vulnerable at a human level to phishing attacks than at a systems level, to connectivity failure.

Cost components
The two biggest insured loss components would be BI of $5.6 billion, with investigation and response costs adding $5.5 billion. There would also be data restoration costs of $234 million, fines of $59 million and legal liabilities of $36 million (Figure 2).

Scenario: Widespread data loss from a leading operating system provider

A widespread data loss from this SPOF could result in a systemic event amounting to $23.8 billion in insured losses.

Cyber criminals find and exploit a vulnerability in a popular operating system. The primary goal is to disrupt all computers running this operating system in an effort to achieve fame, triggering short-term economic losses and showcasing the technical capability of the attackers. Data from hard drives of all infected computers is lost.

Cost components
BI costs make up the lion’s share of the cost (94.4 percent). Investigation and response costs and data restoration costs make up the remainder (Figure 3).

Scenario: Widespread theft from major email service provider

A widespread theft from a major email service provider would trigger insured losses of $19.1 billion. In this scenario, a phishing campaign consisting of conventional and more advanced phishing techniques infects enterprise email clients with malware, affecting a significant proportion of all accounts.

The primary goal is to steal and monetise login credentials and personally-identifiable information. This leads to the attackers profiting from the sale of records, further identifying more valuable assets in corporate managed email accounts such as intellectual property, and showcasing their hacking skills.

Cost components
The majority of the loss from this type of cyber attack would involve confidential information, intellectual property and personally-identifiable information.

The main drivers of insured loss here are investigation costs and response costs (64.7 percent), followed by legal liability (25.2 percent). BI is a minor component of this scenario, at just $1.7 billion (8.7 percent) (Figure 4).

Scenario: Large-scale data loss from leading cloud service provider

If there were a large-scale data loss at a leading cloud service provider, the model predicts insured losses of $22.1 billion.

In this scenario, a threat actor obtains access to a data centre by targeting the support staff, and then uses the compromised staff credentials to spread through the network and gain escalated remote access. The primary goal is to permanently erase cloud services customers’ instances and stored databases to create disruption and chaos.

The attacker executes commands to the system that are either hard to detect or are irreversible, triggering permanent economic losses and showcasing the attackers’ technical capability.

Cost components
In a long-lasting outage at a leading cloud service provider and data loss at a leading operating systems provider, BI costs feature heavily for a large-scale data loss in this scenario (Figure 5).

Conclusion
Cyber risk poses unique quantification challenges. Re/insurance companies and the organisations they insure must be aware of the loss potential of cyber catastrophes and of the potential financial losses in each of these scenarios.

With very little precedent for systemic cyber loss, it is a challenge for re/insurers to estimate the size and scope of a catastrophic cyber event on their balance sheets. Yet, this catastrophic component adds complexity and considerable risk in both typical and worst-case years that must be contemplated in forming robust and reliable growth strategies for this line of business.

Rory Egan, senior cyber actuary with Munich Re, says: “The fundamental first step towards quantifying the catastrophic potential from cyber risk is to identify which sources of risk are currently manageable by the cyber re/insurance market, and which can and should be modelled, versus which cannot.

“Ultimately, we, as a market, should aim to provide meaningful risk transfer mechanisms, but these need to be sustainable. Therefore it is important to dedicate significant expertise and effort towards ensuring there is a solid scientific basis underpinning risk appetite and modelling approaches, in order to provide such solutions.”

To help the re/insurance industry to sustain the full potential impact of these economic losses, the cyber market must further develop by increasing buyer penetration, assisting businesses to understand and measure their cyber exposures, and continuing to expand the product so it bridges cyber protection gaps across lines of business.

Addressing the issue of modelling cyber catastrophes to better price these scenarios into insurance products is key to creating a sustainable solution and adequate capacity for insurance buyers and the re/insurance value chain.
Guy Carpenter and CyberCube strongly believe that taking a robust, modelled, forward-looking view of cyber catastrophe risk can help enable the cyber insurance market to grow sustainably.

Sustainable growth will better position insurers to bridge the protection gap for businesses and form lasting partnerships as part of robust cybersecurity frameworks.

Major contributions to this article were made by Chris Shafer, Erica Davis and Siobhan O’Brien, Cyber Centre of Excellence at Guy Carpenter, and Joshua Pyle, Emma Ye and Rebecca Bole of CyberCube.