CyberCube and Munich Re, both leading providers in their field of cyber risk, analytics and insurance, have published the main findings of a joint study on severe cyberaccumulation events and the relative resiliency of organizations to systemic events due to effective mitigation measures.
The survey gathered insights from 93 seasoned cybersecurity professionals. The results provide a nuanced view of how systemic cyber events might unfold and of the factors that drive wide variation in risk exposure across firms:
Widespread Malware Risk
According to the majority of responding experts, a severe malware event could infect a quarter of all systems worldwide, but they agreed in that case only 15% may be fully compromised. Experts do not see an event where more than 50% of the world's systems are completely compromised. Based on the experts’ judgement, another event on the scale of WannaCry and NotPetya would not be seen as surprising.
Patch management, network segmentation, and data backups are identified as the most effective mitigations that organizations have against widespread malware attacks. When done effectively, such mitigations can reduce the chance of being affected by a widespread malware attack by 50% to 80% and reduce the financial impacts from such an event by a similar amount.
Cloud Risk
Cybersecurity experts expect broad cloud outages to last hours to days; outages beyond 72 hours are considered unlikely but not impossible. Findings show at least a medium level of dependency on cloud services across most industries with companies’ business-critical operations increasingly reliant on them. Reliance tends to decrease with increasing company size.
Financial losses scale with cloud outage duration: Respondents reported that a single day outage of their most critical Cloud Service Provider (CSP) would likely result in a financial loss equal to 1% of their yearly revenue. Variation in losses reflect differences in dependency on the cloud, based on an organization’s size, sector, and contingency planning.
The most effective mitigation against cloud outages is to establish a multi-region architecture with the CSPs used for critical business applications. Having multiple CSPs was not found to be effective; the option to transfer service from one CSP to another during an outage was seen as unfeasible. Cyber Experts surveyed rate Azure, AWS and Google as the best prepared to mitigate against a major cloud outage and to recover from such an event.
Emerging and Systemic Risks
Experts believe that new technologies will begin to affect the threat landscape at about the same pace that they are being adopted in cybersecurity practices. According to cybersecurity experts, in the near term Industrial and Consumer Internet of Things (IoT) devices pose the biggest concern. Large Language Models (LLMs) are regarded as having an impact now while Artificial General Intelligence (AGI) is seen as a greater concern in five or more years.
A fundamental challenge in cyber risk modeling is the deficiency of concrete tail-risk events, such as systemic malware or multi-region cloud outages. The joint survey represents the best attempt to parameterize plausible worst-case scenarios and establish expert consensus. Its objective was to advance market understanding, particularly concerning risk mitigation strategies for systemic cyber events. The results add credibility to CyberCube’s model forecasts and further improve Munich Re's internal model and accumulation risk understanding.
Jon Laux, Vice President of Analytics at CyberCube, said: "By sharing the findings of our study on systemic cyber risks, we aim to provide a more nuanced view of how systemic cyber events might unfold and the factors that drive wide variation in risk exposure across firms.”
Stephan Brunner, Senior Cyber Actuary at Munich Re, said: “Our ambition is to improve the understanding of possible extreme malware and cloud events alongside the effectiveness of mitigation measures by sharing the insights of our study. In collaboration, Munich Re aims to further strengthen expertise on systemic cyber risks and advance cyber accumulation modeling."
The research has contributed to a more refined understanding of the relative resiliency of organizations to systemic events and the key variables that influence an organization’s ability to withstand such incidents. These findings represent an important input into CyberCube’s and Munich Re’s evolving view of cyber risk and help inform ongoing enhancements to their modeling approach. CyberCube has incorporated these insights into Version 6 of its risk aggregation platform, Portfolio Manager.
Modeling cyber accumulation is a joint effort across the entire insurance industry. For this reason, the key findings of the survey are being published to foster dialogue in the market. This study is the third of its kind, CyberCube and Munich Re plan to conduct another study in 2026. Interested cybersecurity experts are invited to participate.
Read the report summarising the full study here – Key insights into systemic cyber risk
|
