Saturday Sep 06, 2025
Saturday Sep 06, 2025
Monday, 1 September 2025 13:47 - - {{hitsCtrl.values.hits}}
Similar to traditional catastrophic models, those for cyber look at three major factors: what risks a company could face; how severe those risks could be; and what they could ultimately cost if the worst were to happen. Both kinds of models take into account data from past incidents and expert opinions. With cyber, modellers can also look at data from “almost events,” where a company’s defences stopped an attack (unheard of in conventional catastrophe modelling, says Fullam; you can’t, after all, have an “almost-earthquake.”)
For an insurance company, responding to natural disasters is all about perspective. Naturally, it’s not a good day for the firm, let alone residents in the areas affected, when a hurricane tears through Miami or a wildfire lays waste to the San Fernando Valley. Even so, thanks to the insurance sector’s vast historical datasets, the scale of these terrible events remains somewhat predictable. And if a firm can estimate the losses it could potentially have to cover, it can better determine the price of its premiums – along with what types of insurance may be too risky to extend at all.
Modelling a cyber catastrophe is not nearly as straightforward. According to Lloyd’s of London, a cyberattack on a major financial services payment system could result in losses of $3.5trn over five years. Ironically, the problem in modelling such an eminently plausible scenario is that it’s never happened before. Where underwriters for natural disasters are able to consult centuries of data on death and destruction to quantify risk, cyber insurance experts have no such luxury, instead grasping at disparate data points from literature reviews, recent attacks at a much smaller scale and the endless theorising of an army of cybersecurity industry veterans.
How, then, does the insurance sector make sense of all this noise? First off, it’s important to understand that modelling a cyber loss is “materially different” from modelling for property and catastrophic risk, explains Shawn Ram, chief revenue officer for insurance at Coalition, a provider of both cybersecurity insurance and protection. “I think it’s one of the reasons why, in today’s day and age, we’re far more focused on security than in years past.”
Functionally, that has seen insurance firms get down and dirty with assessing and, in many cases, actually defining the defences a client has in place to thwart cyberattacks. This is, in large part, thanks to the dimensions of the modern ransomware attack, which – unlike the data breaches and phishing incidents of yore – demand immediate decisions from the victim. Few options foisted onto a company as a result of such an incident are good ones. Paying the ransom doesn’t guarantee that a system will be restored and encourages hackers to continue hacking (and trigger more losses for insurance firms). Even companies with backups face heavy remediation and investigation costs.
Cyber underwriting was forced to “evolve tremendously,” in response to the ransomware threat, says Ram, with insurance firms increasingly insistent that clients use multi-factor authentication and regularly-tested backups as a prerequisite of coverage. Changes to US data breach notification laws, meanwhile, pushed more business onto insurance firms’ ledgers, says RapidFord’s chief strategy and sales officer, George Manuelian. Instead of being able to delay announcing an embarrassing breach for months at a time, corporate victims are now obliged to disclose material breaches within days on pain of being fined. Board members were also made personally liable if they failed to show enough initiative to prevent breaches in the first place.
This combination of factors has seen insurance companies become akin to cyber first responders. “They’ll parachute in like Delta Force and say ‘Don’t touch anything,’” Manuelian said. “They’ll be on your systems, locking stuff down, and then they remediate, figure out what to clean up, what needs to be locked down.”
Modelling for a mass event
While cyber insurance companies have been kept undoubtedly busy by cyberattacks in recent years, most of them have been limited to individual companies, limiting their damage. That’s not to say there haven’t been attacks that have spread between companies and industries. Experts point to the NotPetya attack, attributed to Russia, which crippled computers across Ukraine in 2017 before spreading to unintended targets far outside the country.
The malware locked up files like ransomware, but its true purpose was to destroy data rather than make money. Its intended target was Ukraine but the malware spread, shutting down companies like shipping giant AP Moller-Maersk and costing it hundreds of millions of dollars in lost time and business.
Some cybersecurity experts fear that this kind of attack could happen again. It could stem from a state-sponsored attack like NotPetya, or the shutdown of a third-party software provider used by numerous companies and industries. The majority of the 93 cybersecurity experts polled in a July survey by CyberCube, which does cyber risk analysis for the insurance industry, and insurer Munich Re, said they think a severe malware event could infect a quarter of all systems worldwide (but, they added, cheerily, that only 15% would be completely bricked.)
Live and recent data from individual cyber insurance claims does help to model the possible impact such a catastrophe might have. Historical data on a par with that used to model natural disasters can aid the cause of the cyber-underwriter, too, but CyberCube’s director of actuarial modelling Doug Fullam believes that even this would have limited utility. “The data that we do have, which is considered a decade or older, is often considered irrelevant or, at the very best, of minor relevance given the changes in technology,” says Fullam.
Similar to traditional catastrophic models, those for cyber look at three major factors: what risks a company could face; how severe those risks could be; and what they could ultimately cost if the worst were to happen. Both kinds of models take into account data from past incidents and expert opinions. With cyber, modellers can also look at data from “almost events,” where a company’s defences stopped an attack (unheard of in conventional catastrophe modelling, says Fullam; you can’t, after all, have an “almost-earthquake.”)
Wider risks for the cyber insurance sector
Is it possible that this modelling mosaic might be leading the sector to all the wrong conclusions about a cyber-catastrophe – that we might, in short, be barrelling towards one very apocalyptic, very expensive outage capable of hobbling the entire insurance industry? Josephine Wolff considers this unlikely. Tufts University’s professor of cybersecurity policy argues that such an attack would have to be absolutely massive to wipe out the sector. Much like the traditional insurance industry is built to absorb losses from a hurricane in one part of the world by sucking up premiums paid by clients elsewhere in the world, the cyber insurance industry could handle big losses from sector-spanning ransomware attacks.
In particular, the reinsurance industry has “carefully limited its exposure to cyber risk, and has done so explicitly,” precisely because of a fear around catastrophic cyber risk and a lack of data for modelling it, she says. And while another NotPetya-type attack could happen, Wolff notes that state-sponsored attacks can be considered “acts of war” and therefore might not even be covered under a company’s cyber insurance policy.
But while hurricanes may be limited by geography, meaning we can safely assume that a storm in Puerto Rico won’t cause damage in Canada, cyber-attacks are borderless, she said. In addition, unlike the weather, cyber-attacks don’t necessarily follow annual patterns.
“We’re dealing with a human adversary who’s adjusting their tactics and who has various pressures working on them,” says Wolff. “So next year they’re not necessarily going to do the same things they did this year.”
