Malware and cloud outages remain top accumated loss scenarios for insurers

By Ashish Tiwari

July 15 - (The Insurer) - A widespread malware outbreak and prolonged cloud outages remain the most critical systemic threats to insurers owing to the potential for accumulated portfolio losses, a joint survey by Munich Re and CyberCube has found.

The report, published on Tuesday, underlined that building a model for cyber risk accumulation is difficult owing to unkowns around what can happen, and how to parameterize the scenario.

Based on responses from 93 cybersecurity experts, a global malware attack affecting 10% of systems would be "surprising," while a 25% infection rate would be deemed as "shocking."

Respondents added that another event on the scale of WannaCry or NotPetya (which each affected at most around 0.5% of global machines) would not be unexpected.

"A full compromise affecting even 5% of systems was considered a surprising scenario. These insights are particularly valuable for modeling the tail of the risk distribution, where catastrophic insurance losses would occur," said the report.

In terms of the time required to achieve such a level of global infection, respondents indicated that reaching a 5% global infection rate within one week would be expected, while achieving this in just three days would be "unexpected but plausible," underlining the rapid potential escalation of malware, as well as the importance of early detection and containment.

Patch management, network segmentation and up-to-date data backups were highlighted as the most effective mitigations, with report noting that these measures can potentially reduce both the likelihood and impact of malware events by 50% to 80%.

The survey highlighted software vulnerabilities, supply chain updates and operating system flaws as the most likely drivers of malware outbreaks.

While social engineering is a common entry point, as seen in the recent cyberattacks against UK retailers Marks & Spencer and Co-op Group, respondents said it is not seen as scalable enough to drive major systemic events.

Dependency on cloud services has grown across industries, with small and mid-sized firms (particularly those with revenues between $10 million and $100 million) are now among the most reliant on cloud infrastructure, the report said.

While outages lasting up to 72 hours are possible, longer disruptions such as global and multiregion events were described as "rare but possible."

Respondents reported that a single-day outage of a critical cloud service provider could result in a financial loss equivalent to 1% of annual revenue. If the outage were to extend to five days, over half of respondents said losses would increase by at least a factor of 7, whereas others stated that it was less than 5 times their one-day loss.

Variation in losses reflects differences in dependency on the cloud, as well as an organization’s size, sector and contingency planning.