Skip to Content

Insurers Scramble to Put a Price on a Cyber Catastrophe

Trying to estimate the maximum cost of a devastating cyber event before one actually happens.
April 6, 2017
Jack Sachs

In 1992, Hurricane Andrew devastated Florida’s southern coast, killing dozens of people and causing more than $25 billion in damage. The storm also exposed critical weaknesses in the way property insurers quantified the potential cost of such a natural catastrophe. Many insurance companies took big losses in the months that followed the storm and several failed.

Today, insurers are struggling to understand the economic scope of a new sort of potential catastrophe, this one man-made: a devastating cyberattack. Some of the lessons of 1992 apply, but in other ways, this is a very different kind of problem to solve.

Big insurers including AIG and Chubb have offered cyber policies since the late 1990s, and today approximately 80 companies sell them, most focused on data breaches. The market for cyber insurance has recently begun to grow quickly as a series of high-profile attacks have convinced top executives that hackers pose a serious concern. PricewaterhouseCoopers estimates companies will be paying $7.5 billion for cyber insurance in 2020, up from an estimated $2.75 billion in 2015.

Yet insurers are still struggling to grasp the nature of cyber risk, and to understand how to structure their policies in ways that won’t leave them vulnerable to catastrophic losses.

People are starting to view cybersecurity as a business risk instead of an IT problem, says Arvind Parthasarathi, CEO of Cyence, a three-year-old firm that helps insurers model cyber risks. That means recognizing this is not a problem with a clear solution, but a risk that can be managed, though not eliminated. Now, says Parthasarathi, executives are asking, “How much risk am I comfortable keeping?”

Insurers are asking the same question as they try to determine how to price new cybersecurity policies. The modern cyber threat is complex and rapidly evolving. The most pressing challenge is quantifying the risk of a cyber catastrophe hitting many policyholders at once, estimating the maximum loss in the worst-case scenario. That’s what insurers failed to do before Hurricane Andrew.

A cyber disaster comparable in scale with Hurricane Andrew is hard to model in part because one hasn’t happened yet. Last October, we got a glimpse of one way such a calamity might unfold when hackers used a network of commandeered webcams, DVRs, and other Internet of things devices to launch a massive denial of service attack on Dyn, a major router of Internet traffic. The attack made many prominent websites including Amazon, Netflix, and Spotify unavailable to millions of users in the United States for hours (see “10 Breakthrough Technologies 2017: Botnets of Things”).

The cost of the Dyn attack is not yet clear, but a recent four-hour outage of Amazon’s S3 cloud storage system (which was not the result of a cyberattack) cost S&P 500 companies at least $150 million, according to an estimate from Cyence. It is not hard to imagine a large-scale attack on a cloud service causing billions in losses.

A cyberattack on traditional physical infrastructure, like the one that took out a substantial portion of the grid in Kiev, Ukraine, in December, is also a concern. Some have attributed the attack to Russian state-sponsored hackers. The insurance market Lloyd’s of London recently analyzed a hypothetical scenario in which a blackout in the northeastern U.S. leaves 93 million people without power. It concluded that an event like that could cost insurers anywhere between $21 billion and $71 billion, illustrating how challenging it is to pinpoint the cost of such risks.

The challenge of trying to quantify the cyber risk is similar in some ways to what insurers faced in the 1990s, in that they have very little experience with this type of risk. It took 15 years to build the data sets that underlie the complex and detailed natural catastrophe models insurers rely on today, says Tom Harvey, a product manager at Risk Management Solutions, which develops catastrophic risk models for insurers. While things are moving “a lot quicker” for cyber, he says, the data that companies collect is still quite inconsistent. That makes it difficult to aggregate information and study industry trends.

There are important differences between modeling natural catastrophes and cyber catastrophes, of course, starting with the fact that skilled humans drive cyber events, not physical laws. Hackers’ motivations, tactics, techniques, and targets change quickly to overcome new defenses. The challenge is to understand an “active adversary,” says Cyence’s Parthasarathi, whose company draws on game theory and behavioral economics to model the behavior of attackers.

Understanding the geography of the Internet is also crucial to evaluating the risk of a big cyberattack. Insurers need a “map” of the locations where valuable data are stored, including information about how well the owners of those assets protect them, says Stephen Boyer, CTO and cofounder of BitSight. Boyer’s company does this kind of mapping of assets stored on the Internet and measures the security performance of the organizations that own those assets.

Insurers must avoid doing the cyber version of covering everybody on the coast of Florida before Hurricane Andrew, says Boyer, things like offering too many policies to companies that depend on the same technology or service provider, like Amazon Web Services, as one example. “When an outage happens there, everybody has a claim,” he says.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.