Systemic Threat Landscape
There are other types of systemic cyber risks aside from a major cloud outage.
There are other types of systemic cyber risks aside from a major cloud outage. Among them is a vulnerability in widely used software. In 2021, Chinese cyber-security researchers detected such a vulnerability in Log4j, an open-source logging utility residing within hundreds of millions of computer devices. U.S. government cyber-security officials subsequently issued an emergency directive requiring federal agencies to patch the vulnerability, calling Log4j “one of the most serious software vulnerabilities in history.”
In January 2022, Microsoft reported that attackers were taking advantage of the vulnerability to deploy ransomware. “Had the malware been exploited, it could have spread like COVID to cause catastrophic insured losses,” says Roman Itskovich, co-founder and chief risk officer at At-Bay.
Dan Frusciano, North America head of cyber underwriting at insurer Liberty Mutual, cited another type of systemic risk: “targeted malware that penetrates a SaaS [software as a service] provider’s network and expands out to multiple customers to cause a catastrophic loss. In some ways, given the many SaaS providers out there, this is more of a concern than a large cloud provider outage, as there are only a few of them.”
The SolarWinds software supply chain attack is emblematic of another type of systemic risk. Hackers used SolarWinds’ supply chain to infiltrate the networks of 20,000 companies and government agencies, including Microsoft, Cisco, Intel, the State Department and the Pentagon. The malware in the attack, known as Solorigate, is considered a game changer. “Cyber criminals have demonstrated their ability to disrupt supply chains for businesses around the world,” Chubb stated, adding that the attack “could have been much worse if the intent had been to steal or destroy critical data or other information.”
Solorigate appears to be a key factor in the decision by Chubb to develop a widespread event endorsement for systemic cyber incidents. Among the four widespread events covered in the endorsement is a “widespread software supply chain exploit.”
Storer’s colleague, Steve Pacheco, head of U.S. cyber and tech at Munich Re Specialty Insurance, says the threat of a systemic cyber event “keeps most cyber underwriters up at night. It’s the million dollar question.” He adds that a “systemic event doesn’t discriminate. Once it replicates, it can find its way across businesses in a broad spectrum of industry verticals.”
In response, major cyber insurers such as Chubb, Beazley, Crum & Forster and Lloyd’s have taken specific actions to reduce their exposure to systemic losses. For the most part, these actions involve coverage exclusions for war and state-backed cyber attacks, the inclusion of a sublimit confining losses from cyber cloud outages to a specified time period, and the development (by Chubb) of two separate cyber policies: one for the insurer’s attritional losses—a loss impacting one customer—and another for systemic losses.
The actions are necessary to manage the unpredictability of systemic cyber risks and to maintain stable reinsurance capacity at a time of rapidly growing demand, driven in large part by the digital transformation of companies in all industry sectors.