There are recognized patterns of higher risk. For example, Hurricanes and earthquakes do catastrophic damage to a specific geographic area. These natural disasters pose unique risks to insurance companies as a result of that history. If an insurance company insures at lot of this type of risk, it can face massive losses and have its financial stability threatened. For this reason, insurance companies try to avoid insuring too many homes or businesses (for this example) in an at risk area for hurricane or earthquake damage. While this helps keep insurance companies financially sound, it can make coverage harder to obtain for those who need it most.
Experts are increasingly concerned that this fact pattern applies to the cyber insurance marketplace. The risk would not be to a specific geographic area in this case, but to all companies that have a cyber-presence. An internet wide cyber “catastrophe” could easily cost billions of dollars and bankrupt insurance companies over-exposed to the cyber marketplace.
Recently, a number of cyber security experts have attempted to forecast potential financial losses from a number of potential cyber catastrophes. Losses in some of their scenarios ranged up to twenty-five billion dollars ($25 billion) from a single incident. That amount may seem crazy at first glance, but with cloud infrastructure increasingly migrating to the online services of a few companies, it becomes easy to see how a successful attack on one of those companies would damage millions of U.S. and international businesses in a single strike.
Potential attack vectors for this type of catastrophe would be massive unknown vulnerabilities in popular operating systems, ransomware attacks on cloud providers, or data breaches of large email service providers. While some experts downplay the probability of such a severe attack, the severity and extent of large scale attacks already seen hint at the potential for way worse. For example, the WannaCry global ransomware attack infected over two hundred thousand businesses. Estimates of losses from the attack ranged from the high nine figures to four billion dollars. With that as a background, it is not hard to imagine an attack doing five or six times as much damage.
Making matters worse, there would be little most medium and small sized businesses could do to mitigate against this type of catastrophic attack. These are the types of attacks that would involve finding vulnerabilities at large companies with an expertise in cyber security such as Amazon, Google, or Microsoft. Best practices at a mid-size business might provide some assistance, but could only go so far.
Proper risk management often involves attempting to assess the size and probability of attacks that seem unlikely but could have an outsized impact on a business. Cyber insurance is only one part of this puzzle when it comes to cyber risk. Companies also need to examine their cyber supply chains and consider the possibility that their biggest vulnerability may stem from the programs, infrastructure, and vendors they cannot do without.