A better way to define and insure systemic cyber events



The potential for a catastrophic cyber attack causing widespread damage at a significant cost is broadly discussed but not yet fully understood.

 As a result, most companies have been working to improve their cyber resilience, while the insurance industry has been developing solutions to manage these risks.

Despite these efforts, the ever-increasing reliance on technology by organizations and consumers, along with the interconnectivity of technologies and partners have created an environment in which cyber risks are expanding exponentially. Like a pandemic, a cyber-CAT event has no geographic boundaries or temporal limitations.

All stakeholders — including organizations at risk, governments, insurance carriers, brokers and the cyber security industry — need to develop and implement solutions that will maintain overall economic stability and societal resiliency while still providing organizations and individuals with the insurance protection they need.

In the insurance industry, one barrier to long-term sustainability has been the lack of a consistent and clear definition of systemic cyber events. How can risk managers, brokers and insurers come to a common understanding of policy terms and conditions so that clients know what coverage they have, and insurers can meet the obligations of the client risks they assume?

In the following Q&A, Michael Kessler, Vice President, Chubb Group and Division President, Global Cyber Risk, discusses the evolving insurance market for widespread cyber risks, including common misperceptions and solutions.

Q&A with Michael Kessler


Catastrophic risks multiply

The potential for a systemic cyber event to cause catastrophic loss is alarming and growing. During 2022, the number of malware attacks across the world was nearly two-fifths higher than the total volume in 2021, reaching an all-time high in Q4 2022, when an average of 1,168 weekly attacks per organization was reported.1

More than 25,000 software vulnerabilities were discovered in 2022, the highest reported annual figure to date.2 A vulnerability is a flaw or weakness in software that can be exploited by malware. In April, May and June 2023, the National Institute of Standards and Technology tallied 6,991 new software vulnerabilities, 1,027 of which were categorized as “critical.”3

Estimates of a systemic event causing catastrophic losses indicate that the cost would exceed the aggregate capacity of the global insurance market.4 A report by the Government Accountability Office (GAO) described these events as cyber incidents that “spill over from the initial target to economically linked firms, thereby magnifying the damage.” The GAO report estimated the potential loss from a single systemic cyber event as ranging from $2.8 billion to $1 trillion.5

Our approach

Chubb’s Approach to Cyber Enterprise Risk Management

A sustainable approach to insuring a broad array of cyber events, including Widespread Events


Three prongs to Chubb’s Cyber ERM:

  • Loss Mitigation Services – access to the tools and resources needed to address and gauge key areas of cyber security risks before an event occurs.
  • Incident Response Services – a diverse team of experts in the legal, computer forensics, notification, call center, public relations, fraud consultation, credit monitoring, and identity restoration service areas to help limit exposure to a loss when an event occurs.
  • Risk Transfer – broad and sustainable insurance coverage backed by the financial strength of Chubb.


Competitive advantages

  • Leading provider of cyber risk solutions since first product was launched in 1998.
  • Innovative, highly customizable risk solutions to address clients’ unique needs, regardless of size, industry or type of risk.
  • No minimum premiums. Premiums scale for all sizes of risks based on the scope of coverage and limits.
  • Cyber crime coverage by endorsement or provided under separate policies from Chubb’s industry-leading Fidelity and Crime products.
  • Cyber Incident Response Expenses, with expansive consumer-based solutions that are more robust than minimum regulatory requirements.
  • Online quoting and real-time policy issuance for eligible small risks. Referred risks will receive fast turnarounds from your Chubb underwriter.
  • Innovative coverage designed to address evolving regulatory, legal, and cyber security standards and built to consider future changes.
  • Easy-to-read form is aligned with the flow of a typical cyber incident in order to aid decisionmaking throughout.
  • Coverage Territory applicable worldwide to address continued evolution of hosting and data storage.


Widespread event endorsement

  • Widespread Event Endorsement addresses events with widespread impact, affecting parties with no relationship to the insured. Similar to how flood and earthquake risks are addressed in property policies – coverage, limits, retentions – and coinsurance can be tailored for allWidespread Events, or by specific peril:
    • Widespread Severe Vulnerability Exploits
    • Widespread Severe Zero-Day Exploits
    • Widespread Software Supply Chain Exploits
    • All other Widespread Events
  • Ransomware Encounter Endorsement addresses the increasing risk of ransomware by allowing for a tailored set of coverage, limit, retention and coinsurance to apply uniformly across all cyber coverages.
  • Neglected Software Exploit Endorsement recognizes and rewards good software patching hygiene by providing full coverage for 45 days, and then for software that remains unpatched beyond 45 days, gradually re-weights risk sharing between the Insured and Insurer as time passes.

1  Check Point. Global Cyber-Attack Volume Surges 38 percent in 2022. Jan. 9, 2023.

2  Tenable Research. Mind the Gap: A Closer Look at the Vulnerabilities Disclosed in 2022.

3  NIST National Vulnerability Database. As reported by the Wall Street Journal, June 20, 2023

4  Marsh. Cyber Insurance Market Overview, Fourth Quarter 2021.

5  U.S. Government Accountability Office. Potential Federal Insurance Response to Catastrophic Cyber Incidents. Sept. 29, 2022