Insurers, their regulators and ratings agencies are increasingly aware of the potential for a catastrophic cyber loss. The aggregation of cyber risk assumed under policies providing affirmative or non-affirmative (silent) cyber coverage could be enormous. Last year’s Wannacry and NotPetya ransomware and malware attacks hammered home the risk of widespread losses from untargeted attacks. Executive SummaryCyber catastrophe models continue to be improved, although modeling is an inexact science at best and at worst something akin to educated guesswork, according to Mark Synnott and Jess Fung of Willis Re. Just like the early development of windstorm and earthquake models, the fine-tuning of cyber models will take time.
Other scenarios could bring even more worrying accumulations. In one example from last year, hackers planted malware in the technology of Schneider Electric. The company manufactures safety shutdown systems for nuclear, oil and gas plants, as well as mining and water treatment facilities. The only known attack employing this embedded malware in a Schneider product affected just one unidentified energy operation in the Middle East. However, if multiple Schneider users had been affected, the outcome could well have been catastrophic and led to unthinkable damage in multiple regions.