The potential for a catastrophic cyber attack causing widespread damage at a significant cost is broadly discussed but not yet fully understood.
As a result, most companies have been working to improve their cyber resilience, while the insurance industry has been developing solutions to manage these risks.
Despite these efforts, the ever-increasing reliance on technology by organizations and consumers, along with the interconnectivity of technologies and partners have created an environment in which cyber risks are expanding exponentially. Like a pandemic, a cyber-CAT event has no geographic boundaries or temporal limitations.
All stakeholders — including organizations at risk, governments, insurance carriers, brokers and the cyber security industry — need to develop and implement solutions that will maintain overall economic stability and societal resiliency while still providing organizations and individuals with the insurance protection they need.
In the insurance industry, one barrier to long-term sustainability has been the lack of a consistent and clear definition of systemic cyber events. How can risk managers, brokers and insurers come to a common understanding of policy terms and conditions so that clients know what coverage they have, and insurers can meet the obligations of the client risks they assume?
In the following Q&A, Michael Kessler, Vice President, Chubb Group and Division President, Global Cyber Risk, discusses the evolving insurance market for widespread cyber risks, including common misperceptions and solutions.
In general, the market has been following shifts in the risk environment to keep pace with the change in loss costs due to both severity and frequency of ransomware events. The response to systemic risk has been less explicit.
Widespread events – excluding those involving war or infrastructure impairments – are covered and subject to the limit and retention that are purchased by the insured. No additional exclusions. If a widespread event occurs and there is no declaration of war or cause from infrastructure, businesses can rest assured they are covered. Cyber incidents that result from war or infrastructure impairment are excluded. Furthermore, war and infrastructure are clearly and objectively defined in the policy, so that the insured has contract certainty before an event occurs. There is no ambiguity because coverage is not dependent on subsequent assessment of the perpetrator of an attack (e.g., ‘state sponsored’ or ‘state backed’ attackers).
It has been almost two years since Chubb first introduced this language. Many clients understand what Chubb is doing and certainly support it. They realize the value of clarity in helping them make more informed risk management decisions. For example, a large business may opt to buy just the catastrophic coverages in the endorsement and self-insure the less-concerning financial exposures. A large company may decide to absorb lower dollar losses caused by a ransomware attack on its balance sheet and insure the risks they cannot control.
Catastrophic risks multiply
The potential for a systemic cyber event to cause catastrophic loss is alarming and growing. During 2022, the number of malware attacks across the world was nearly two-fifths higher than the total volume in 2021, reaching an all-time high in Q4 2022, when an average of 1,168 weekly attacks per organization was reported.1
More than 25,000 software vulnerabilities were discovered in 2022, the highest reported annual figure to date.2 A vulnerability is a flaw or weakness in software that can be exploited by malware. In April, May and June 2023, the National Institute of Standards and Technology tallied 6,991 new software vulnerabilities, 1,027 of which were categorized as “critical.”3
Estimates of a systemic event causing catastrophic losses indicate that the cost would exceed the aggregate capacity of the global insurance market.4 A report by the Government Accountability Office (GAO) described these events as cyber incidents that “spill over from the initial target to economically linked firms, thereby magnifying the damage.” The GAO report estimated the potential loss from a single systemic cyber event as ranging from $2.8 billion to $1 trillion.5
Chubb’s Approach to Cyber Enterprise Risk Management
Three prongs to Chubb’s Cyber ERM:
Widespread event endorsement
1 Check Point. Global Cyber-Attack Volume Surges 38 percent in 2022. Jan. 9, 2023.
2 Tenable Research. Mind the Gap: A Closer Look at the Vulnerabilities Disclosed in 2022.
3 NIST National Vulnerability Database. As reported by the Wall Street Journal, June 20, 2023
4 Marsh. Cyber Insurance Market Overview, Fourth Quarter 2021.
5 U.S. Government Accountability Office. Potential Federal Insurance Response to Catastrophic Cyber Incidents. Sept. 29, 2022