Risks associated with systemic cyber events are no longer hypothetical scenarios but growing realities for organizations, insurers and cybersecurity professionals alike, according to findings from a recent survey report by CyberCube and Munich Re. In fact, surveyed experts said that another event on the scale of WannaCry or NotPetya would not be seen as surprising.

The report – titled “Key insights into systemic cyber risk” – provided insights from 93 cybersecurity experts on two of the biggest cyber accumulation risks: widespread malware events and large-scale cloud outages. The findings also highlighted emerging technologies that could reshape the cyber threat landscape.

“By sharing the findings of our study on systemic cyber risks, we aim to provide a more nuanced view of how systemic cyber events might unfold and the factors that drive wide variation in risk exposure across firms,” said Jon Laux, vice president of Analytics at CyberCube, in a press release.

Cloud Outages

Concern around large-scale cloud outages comes as many industries have growing dependency on cloud services, especially for critical operations, the report said.

“Small and mid-sized firms with revenues between $10 million and $100 million were found to be the most reliant on cloud services,” the report said. “Larger organizations showed declining dependence, likely due to more robust on-premise and hybrid architectures. Micro firms displayed the widest variability, with some heavily reliant on lean IT structures, and others minimally dependent due to limited digitization.”

Cloud practitioners estimated that 40-90 percent of business-critical functions are cloud-based, while risk managers generally estimated a lower range of 35-75 percent, the report said.

“It does suggest there are different levels of understanding about the cloud’s criticality,” the report said. “The difference in estimation could be due to risk managers having a greater understanding of their own networks.”

Experts agreed that cloud outages lasting hours to a few days are likely, and while extended outages were not seen as likely, they are still a possibility.

“Respondents reported that a single-day outage of their most critical CSP would likely result in a financial loss equal to 1 percent of their yearly revenue,” the report said. “If the outage were to extend to five days, over half of the respondents stated that losses would increase by at least a factor of seven, whereas others stated that it was less than five times their one-day loss.”

This reflects differences in dependency on the cloud, based on an organization’s size, sector and contingency planning.

“Furthermore, it implies that for certain segments, a cloud outage would become increasingly costly the longer it persists, while other segments may see the opposite,” the report said.

Malware Events

The biggest contributing factors for widespread malware events are software vulnerabilities, supply chain updates and operating system vulnerabilities, according to surveyed experts.

Many experts estimated that organizations with strong cyber hygiene could expect a 50-80 percent reduced likelihood of being impacted by this type of event, as well as a 50-80 percent impact reduction if they were compromised.

“Interestingly, no expert believed that adopting all of these mitigation methods could completely 100 percent protect an organization, highlighting that there always remains a perceived degree of risk,” the report said.

The report said that patch management, network segmentation and data backups are the most effective mitigation strategies for organizations against widespread malware attacks.

“When done effectively, such mitigations can reduce the chance of being affected by a widespread malware attack by 50 to 80 percent and reduce the financial impacts of such an event by a similar amount,” the report said.

Emerging Technologies

While experts are keeping an eye on malware and cloud risk, they also stated in the survey that a new technology will likely begin to affect the cyber threat environment at about the same pace that it is being adopted in cybersecurity practices. This means vigilance, continued learning and evolving cyber hygiene methods will be critical for businesses and insurers as the threat environment continues to evolve.

Currently, industrial and consumer internet of things devices pose the biggest emerging risk, as well as large language models, the report said.

“Our ambition is to improve the understanding of possible extreme malware and cloud events alongside the effectiveness of mitigation measures by sharing the insights of our study,” said Stephan Brunner, senior cyber actuary at Munich Re, in the press release.