Article
Mitigating Catastrophic Cyber Risk Through Active CAT Management
Cyber CAT risk is manageable if insurers invest in the right tools and capabilities
Catastrophe (CAT) events make up a significant component of insurance risk management, driving $106 billion in losses across the industry in 2021 alone.
Most are natural catastrophes — hurricanes, earthquakes, tornadoes, and the like. Suddenness, scope, and severity define catastrophic events in insurance. They arise quickly and drive outsized losses to the economy and, by extension, to insurers.
As the field of cyber insurance continues to grow, questions have risen about the potential for cyber CAT events: Is cyber insurance vulnerable to CAT risk and, if so, how big could it be? The recent far-reaching ProxyNotShell Microsoft Exchange vulnerabilities have put these questions top of mind, highlighting why it’s crucial for insurers to understand and actively manage CAT risk.
Here’s what you need to know about cyber CAT risk and how it can be mitigated.
Cyber Is a CAT-Prone Line Of Insurance
Cyber CAT risk arises from technology interdependencies. These dependencies could be a shared resource, like a cloud provider, or a vulnerability in a widely used software, like Microsoft Exchange. Historically, events stemming from widespread vulnerabilities have had the largest impact.
There have been several noteworthy events with cyber CAT potential in the last few years, including ProxyNotShell, Log4j, Kaseya, ProxyShell, SolarWinds, NotPetya, and WannaCry. While we didn’t see significant insured losses with these events, they could foreshadow future events with significant loss potential.
Cyber CAT Events Can Be Mitigated As They Unfold
Cyber CAT events are less like a natural disaster — which happens all at once — and more like a pandemic, which unfolds over time after an initial outbreak.
This pandemic scenario is a cascading event. Unlike a singular natural disaster event, a cascading event can be mitigated while it unfolds. Just as we used masks, social distancing, travel bans, and vaccines to mitigate the COVID-19 pandemic, insurers can use security best practices and patches to slow and eventually stop attackers from exploiting cyber vulnerabilities at the scale that would cause CAT losses.
At-Bay has been tackling cascading CAT risk through Active CAT Management, a system with a demonstrated ability to address the CAT potential of cyber insurance.
How Active CAT Management Works
Active CAT Management (ACM) is the practice of mitigating cyber events with CAT potential before they materialize significant loss.
With the right data, technology, and interventions, insurers can take advantage of the time gap created by the cascading nature of cyber CAT risk to effectively manage their exposure. The ACM approach allows At-Bay to successfully mitigate portfolio CAT for events like Log4j and the Microsoft Exchange ProxyShell and ProxyNotShell vulnerabilities.
The capabilities of a successful mitigation strategy like At-Bay’s Active CAT Management program are threefold:
1. Identify Events With CAT Potential
Cyber insurers need the ability to identify events with CAT potential and to project their impact on the portfolio.
This is essential for triage and prioritization, and it requires cyber research capabilities and strong mapping of digital assets to insureds. Being aware of the technology interdependencies within the portfolio is necessary in order to accurately quantify and model out CAT potential.
2. Identify Which Portfolio Companies Are Vulnerable
The insurer needs to be able to identify — with a high degree of fidelity — which assets, and in turn, which companies in its portfolio are vulnerable to cyber risks with CAT potential.
False positives are endemic in cyber data, which can have a negative impact on CAT risk mitigation. Inaccurate data can cause an insurer to under-react in mitigating an issue or can cause disruption for brokers and businesses by sending them chasing an issue they may or may not actually have.
It can also decrease trust between insurers and their insureds, thus decreasing the likelihood that insureds will take action when they receive notice of a new vulnerability from their insurer.
3. Help Companies With Risk Mitigation
The insurer needs to be able to help insureds recognize the importance of mitigation and take action.
In order to do this, the insurer should build relationships with their insureds. This way, the business is inclined to listen and act when the insurer reaches out with information about a new vulnerability or an action needed to improve security posture.
They should also develop security capabilities or partner with providers in order to connect insureds with patches and solutions as quickly as possible when a new vulnerability arises.
Portfolio Losses With Vs. Without Active CAT Management
With Active CAT Management, At-Bay’s portfolio is better protected from cyber CAT losses. The below chart illustrates how ACM significantly reduces modeled tail loss:
At-Bay’s results with its Active CAT Management program show substantial initial results mitigating potential loss before an event unfolds. This drives CAT exposure and Aggregate Exceedance Probability (AEP) curves down significantly in the portfolio, demonstrating the effectiveness of CAT risk modeling and mitigation.
Learn how Active CAT Management compares to traditional approaches →
About the Author
Roman Itskovich is the Co-Founder and Chief Risk Officer of At-Bay, the InsurSec provider for the digital age. At-Bay combines world-class technology with industry-leading insurance to help clients meet risk head-on. Partnering with brokers and business owners alike, At-Bay provides modern insurance products and active risk monitoring services for companies of every size and in every industry.
Before founding At-Bay in 2016, Itskovich built an online lending business as the VP of Financial Products at Ebury, a Greylock-backed firm helping businesses accelerate international growth. He has more than a decade of experience in finance and financial modeling, having served on the investment team at Bain Capital and as a consultant at McKinsey & Company. Itskovich holds a BA in Economics and Accounting from Tel Aviv University and an MBA from Harvard Business School.
Footnote
1. Chart source: Howden Broking Group, Cyber Insurance: A Hard Reset 2.0, page 16. Published June 2022.
