Vaudeville isn’t dead, but the traditional song-and-dance, jugglers and animal acts have been displaced by technocrat philosophers, citing cyber dystopias and the uninsurability of the peril at industry events, wherever an audience of ten and an internet streaming device can be found. Their skepticism is not entirely unfounded: Until we can agree on the scope and scale of a cyber catastrophic event, the economic trade of tail risk will be stifled. Short of a catastrophic event — either by definition or scale — this debate will likely drag on in perpetuity. The reasoning for such an event is twofold: To test the limits of underwriting acumen and validate the model outputs vying for relevance in a growing market.

Validation and understanding cyber peril requires deconstructing some of the most common myths. Ones that continue to drive misconceptions concerning cyber risks and their insurability.

Myth #1: There has never been a catastrophic cyber event.
Fact: When the term cyber catastrophe event is thrown around, what people typically mean to say is a financial cyber catastrophe event, overlooking a significant set of events that would otherwise fit the definition of catastrophic. It’s a seductive classification for those who prefer to keep cyber catastrophes in the philosophical realm. Doing so conveniently defines a catastrophe as a subset of events falling entirely outside of any tangible or historical events. Cyber catastrophe-type events have happened and do happen frequently.

Take, for instance, the recurring outages experienced by major cloud service providers. These events have occurred, but because they quickly get up and running again, and the losses are somewhat contained, it’s not perceived as a catastrophic loss. A cloud outage sounds like something to fear, but there’s a lack of awareness that it does happen and is mitigated with relative levels of frequency.

Myth #2: Most concerning are the dystopian future/doomsday prophecies about cyber catastrophes portrayed in Hollywood films.
Fact: Most concerning are catastrophic cyber events driven by the level of interconnectedness between systems, networks, organizations and users. A catastrophe would include one instance of attack resulting in the infection of multiple parties.

● Using a software update to propagate a vulnerability to a single target and subsequently infecting multiple users of the software as they receive the update
● Infecting a single target who then infects multiple others, e.g. via email

With cyber catastrophe modeling, we are only dealing with the systemic risk from a single trigger event that impacts multiple insureds. Systemic risk indicates a risk that impacts multiple claims. This can include:

● A triggering event that impacts multiple insured individuals, resulting in claims.
● A change in circumstances affecting all claims. Examples include a change in the level of regulatory fines applicable for poor cyber hygiene leading to a cyber event, or the regulator generally increasing the level of claims it processes.

While Hollywood’s depiction of catastrophic cyber events captures the imagination with its dramatic flair, the real threats lie in the intricate web of connections of our current society. These threats manifest in various forms, from data breaches and ransomware attacks to supply chain disruptions and critical infrastructure failures. The true danger lies not in Hollywood’s sensationalized scenarios but in the vulnerabilities inherent in our interconnected digital infrastructure.

Myth #3: The industry must account for model accounting for the most outlandish doomsday cyber prophecies to be successful.
Fact: Most of the losses seen in Hollywood-type scenarios are extremely remote. Instead, successful modeling hinges on a thorough understanding of the aggregate ecosystem and interconnection of the risks rather than a specific event. By leveraging both external and internal data, utilizing third-party vendors and conducting comprehensive scans of the entire ecosystem, insurers can better grasp the complexities of cyber risk.

This approach allows for tailored modeling, underwriting and policy terms that align with the true interconnected nature of cyber threats. Rather than chasing far-fetched scenarios, this data-driven model enables insurers to identify vulnerabilities, track their spread throughout the cyber ecosystem, and ensure that insureds remain protected through real-time patching and proactive risk management measures.

While Hollywood scenarios are attention-grabbing and can serve as cautionary tales, they often overlook the complexities of today’s real-world cybersecurity challenges. For example, the characterization of cyberwar tends to overshadow the more nuanced understanding of cyber risks, particularly with economic security. Modeling based on data gives a more accurate understanding of the current threat landscape and enables organizations to prioritize their cybersecurity posture.

The Future of Catastrophic Cyber Risk

The future of modeling catastrophic cyber risk hinges on our ability to move beyond misconceptions and confront the true extent of our exposure. The influence of Hollywood’s sensationalized scenarios and public perception, shaped by decades of dystopian narratives, poses challenges to accurately assessing cyber risk.

Failing to do so risks perpetuating a dangerous cycle where insurers underwrite to a limited understanding of cyber risk, leaving policyholders vulnerable to unforeseen financial burdens. Now more than ever, it is imperative to focus on building models based on actual risk, rather than succumbing to distractions that could impede progress. By addressing these challenges head-on and focusing on building robust models based on actual risk, rather than hypothetical distractions, we can better protect businesses and individuals from the potentially devastating impacts of cyber incidents.