Features 20.07.2023
The Bigger Picture: Why Cyber Risk Aggregation Matters
Aggregate cyber risk should inform executive cyber strategy and help insurers to price cyber policies more accurately. Here’s how…
Features 20.07.2023
Aggregate cyber risk should inform executive cyber strategy and help insurers to price cyber policies more accurately. Here’s how…
The world is more connected than it’s ever been. And that spells risk to the insurance sector and its customers. Consider the impact of a major cloud service outage. Or a ransomware worm that causes chaos across the globe. These ‘cyber aggregation events’ can have a cascading impact on interlinked and dependent systems, organisations and endpoints. They must be better understood so that risk can be managed more effectively. But that’s not necessarily easy in what is still an emerging field.
Finding a way to model and mitigate aggregated cyber risk like this will be increasingly critical to broader cyber risk management efforts. It should inform executive cyber strategy and help insurers to price cyber policies more accurately.
When insurers talk about aggregate risk, what they mean is systemic risk: the idea that a single incident could cause a cascading failure that leads to a huge surge in claims. In the real world, natural disasters are a useful comparison, according to Tom Draper, head of insurance at Coalition UK.
NotPetya caused over $10bn in global losses
“In the same way property insurers worry that a hurricane could damage multiple properties, cyber insurers are interested in how a single event could cause losses for many policyholders,” he tells Assured Intelligence.
“To address their concerns, property insurers typically monitor the location of insured properties and avoid accumulating policyholders in one local region. However, cyber insurers cannot rely on geography so, instead, monitor the shared technologies and infrastructure—and their potential vulnerabilities—among policyholders, to address the potential for aggregate cyber risk.”
However, cyber differs from general systemic risk in an important way. Ed Ventham, co-founder and head of broking at Assured, explains that cyber risk has the ability to cause an impact that spans many industries, organisations and even geographies. Insurers are aware that one single catastrophic vulnerability or point of failure could wreak havoc in a supply chain and impact and take down entire cyber insurance portfolios. It’s no wonder that insurers are taking note.
There are plenty of warning signs that the likelihood of catastrophic systemic cyber events could be increasing. Organisations are increasingly reliant on major cloud providers for business-critical infrastructure and services, although even a major cyber-related outage here would likely be contained to a specific region.
Perhaps even more concerning is the growing reliance on open source software. It’s often claimed that as much as 80% of codebases contain open source components. Yet many are riddled with vulnerabilities, while others are malicious packages deliberately created by hackers in the hope they’ll be downloaded unwittingly by developers.
One report claims the average application development project today contains 49 vulnerabilities, while another points to a 633% annual increase in malicious packages in 2022. The challenges organisations had in finding and mitigating critical vulnerabilities in a popular open source tool (Log4j) highlight the potential for systemic risk in this area.
Another portent can be seen in the increasing sophistication of cyber crime groups, some of which have budgets in the millions of dollars. Western governments are largely helpless to intervene, as these gangs are protected, and in some cases actively encouraged, by hostile state like Russia. Emboldened state-sponsored activity also makes a catastrophic cyber event more likely. A 2021 HP report claims “advanced cyber conflict” is as close as it has been since records began. Even if state threat actors don’t intend to cause a systemic event, one could occur. You might recall the NotPetya destructive worm, which ‘escaped’ from Ukraine in 2017 and infected countless multi-nationals. A White House assessment claims it caused over $10bn in global losses.
It’s critical for insurers to better quantify and measure systemic risk scenarios in order to accurately price policies. Historically this has been challenging due to the relatively short history of claims on which to build actuarial models, and generalist brokers who have neither the time or expertise to address such risk. And in any case, past losses are a poor predictor of what may happen in the future, as no two cyber attacks are alike. At the same time, defensive technologies and the threat landscape are moving at a dizzying speed.
“We have yet to experience a truly systemic event that cannot be managed by insurers” Ed Ventham
Nevertheless, Assured’s Ventham is confident that progress can be made. “We have yet to experience a truly systemic event that cannot be managed by insurers, and I am confident this will continue to be the case. Firstly, cybersecurity investment has increased massively over the past few years for businesses, and measures such as network segregation and detection and monitoring capabilities have greatly reduced the impact cyber incidents can have on businesses.
“Secondly, reinsurance is playing an ever more important role in risk mitigation,” Ventham continues. “Insurers are transferring portions of their risk to reinsurance firms who are then able to spread that risk across multiple entities allowing them to have a better financial capacity to deal with any potential systemic cyber event. By transferring their risk, the primary insurers on the front lines can better manage their own exposure to larger losses and continue to deploy risk transfer to the businesses looking to protect themselves.”
Michael Giuliano, a partner of cyber risk at McGill and Partners, also has a positive outlook. “Much like systemic risk in other sectors, cyber risk can be measured and quantified, and as CISA states, if it can be measured, it can be managed. That is where the cyber insurance market needs to thoughtfully come up with insurance solutions versus exclusionary language,” he argues. “There are many new insuretechs focusing on quantifying this risk and improving resilience/response, and insurers partnering with key providers to expressly cover outages or failures.”
One such innovator is Cyberwrite. Its president, Hartmut Mai, tells Assured Intelligence that AI and machine learning-powered modelling tools will become increasingly important to the industry.
“Insurance executives must understand which sources of cyber risk are currently manageable by the market and which can and should be modelled, versus those which can’t be insured and modelled,” he argues. “Executives have to focus on creating a sustainable market and provide a meaningful risk transfer mechanisms to stay relevant for their clients. The basis for all this is expertise built on analytics from vast amounts of relevant data.”
Executives should know that, although there has yet to be a truly catastrophic systemic cyber event, such risks are insurable. According to Assured’s Ventham, “It is still largely unclear what makes a risk systemic. At what point does a widespread incident become systemic?” he asks rhetorically. “Some insurers are actively carving out this exposure from their coverage to pre-empt a potential systemic event. As a buyer of cyber insurance, it is important to know whether you have this coverage included in your policy or not,” he advises. “There are solutions that do not determine a difference in risk,” he adds.
“Modelling risk aggregation, which is a mainstay in determining risk, remains the answer to even the most complicated coverage areas like cyber” Tom Draper
Coalition’s Draper adds: “Modelling risk aggregation, which is a mainstay in determining risk, remains the answer to even the most complicated coverage areas like cyber.”
But cyber insurance isn’t an automatic ‘get-out-of-jail-free card’ and needs to be complimented by a resilient cybersecurity posture. Carriers expect, and increasingly demand, that policyholders also have the controls, policies and processes in place to help them mitigate aggregate cyber risk.
“Execs that build resilience and continuity plans throughout their organisation need only further extend these efforts to include their ICT stress points,” says McGill’s Giuliano. “For complex risks, we stress the importance of collaboration between C-suite and IT/data security professionals to help quantify potential ICT risk and go steps further to build immediate response capability.”
For Richard Breavington, head of cyber and tech insurance at law firm RPC, proactive planning is critical.
“By understanding that the potential exists for systemic issues to occur, senior leadership will be better placed to have formulated disaster recovery plans which will play a vital role in a response to an aggregated cyber event,” he tells Assured Intelligence.
“On a practical level, unpatched and/or legacy systems could be more vulnerable to aggregated cyber risk, so keeping systems up to date and properly patched is important. In a situation where aggregated cyber losses are occurring, the usual internal and external resources for responding to incidents will inevitably be stretched. Those who have planned well and are better able to adapt will ultimately manage the risk best.”
Coalition’s Draper adds that insurers themselves can also help with value-add services.
“Executives should look for cyber insurance providers that also offer continuous monitoring capabilities and personalised alert systems to notify them of any new threats,” he explains. “They should receive actionable recommendations on how to mitigate an exposure, which is a crucial line of defence that can translate into immediate and material business impact in the event of a widespread cyber event.”
As the industry matures and risk data gets better, insurers should be able to more accurately price aggregate cyber risk. But as the clock ticks forward and the world becomes more interconnected, the chances of a catastrophic incident arguably also increase. Business and IT leaders would do well to better understand this landscape before a worst-case scenario appears for real.