Steps to Minimize Cyber’s Impact on Systemic Risk

The SolarWinds (2020) and Kronos (2021) attacks rang the alarm bell that systemic risk is considerable. Thousands of companies across sectors felt the impact when a ransomware attack compromised Kronos’ private cloud. This widespread fallout raised the vital question of vendor liability and who was responsible for the loss after this incident.

Systemic risk is far-reaching and comes primarily from two sources, the pervasive use of standard technologies and the integrated nature of our global economies. Prudent regulators are concerned about the systemic risks associated with aggregation and accumulation.1  Aggregate risk arises when there’s an industry-wide dependency on a limited number of technology providers, leading to a scenario where a single outage can simultaneously cripple multiple entities. For instance, if a critical technology goes offline, numerous banks relying on it could be paralyzed. On the other hand, accumulation risk refers to shared systemic vulnerabilities due to common technology adoption within an industry. An example would be multiple banks exposed to the same zero-day vulnerability, which, if exploited, could cause widespread damage.

Systemic risk arises internally and externally to the organization and represents a multiplier effect on the scale and scope of a cyber incident.  This means that individual organizations can suffer significant financial losses if systemic risks are not effectively managed.2  It’s no wonder then that the task of managing systemic risk has catapulted to the top of the priority list for the insurance industry. As cyber threats evolve, risk quantification models and scenario planning are being refined to accurately determine an organization’s risk profile. This informs the extent of cyber insurance coverage required to safeguard against potential losses from systemic risks. Like tracking the path of a storm, modeling extreme cyber events can expose aggregate risk and predict the likelihood of an attack. Data intelligence, including a detailed map of the organization’s tech stack (internal and third-party vendor tech stacks), helps to deliver insight into the level of connectivity, the sophistication of the threat actors, and consideration of standard security mechanisms form the basis of risk models.

Aon’s Cyber Reinsurance Practice group’s research indicates that the impact of the NotPetya attack in 2017, a prime example of an accumulation scenario, represents only a small fraction of the potential devastation that could be wrought by similar but larger-scale cyber attacks.  Imagine the potential fallout: Aon predicts that a single significant and successful cyber attack could potentially affect up to 20 percent of organizations worldwide. It’s a chilling thought. Predictably, insurers are more thoughtful about issuing policies and cognizant of the potential of paying out down the line.  Although the average industry loss ratio experienced a minor decrease from 67 percent to 66 percent, three-quarters of the top 20 insurers saw their loss ratios shift by more than 5 percent, either upwards or downwards. In response to the increased frequency of claims in previous years, insurance providers in 2022 began to mandate enhanced security controls for insured companies.3 Driven by increased claims frequency in previous years, insurance providers mandated improved security controls for companies in 2022. Companies that did not invest and improve their security landscape saw restricted covenants or increased declinatures.

More exclusions exist in cyber risk, and aggregate risk drives hardening or additional underwriting. Loss frequency continues to decline from its peak in 2021 but remains higher than 2019. On a concerning note, the frequency of ransomware attacks saw a sharp increase, rising by 49 percent in the first quarter of 2023.  With an improved claim frequency and the unprecedented rate environment that emerged in 2022, we anticipate robust market growth. This suggests that cyber insurance could become a highly profitable product segment in the coming years.4