What Is Cyber CAT?

Cyber CAT is an insurance-specific term that refers to any catastrophic cyber event that has the potential to impact a large population of insureds in a short period of time. 

The cyber insurance industry has yet to experience catastrophic losses, although recent events such as ProxyNotShell, Log4j, and Kaseya are increasing concerns about cyber CAT risk. These events could foreshadow future events with significant loss potential, which is why it’s critical for cyber insurers to understand and manage cyber CAT risk.

Cyber CAT risk is comparable to natural catastrophic risk. Both have the potential to create catastrophic insurance losses, and much of the insurance industry treats them similarly. However, they unfold very differently and therefore require different mitigation strategies. This table demonstrates the key differences:

Technological Interdependence Causes Cyber CAT Risk

Natural catastrophes are typically correlated to geography. For example, some locations are more prone to certain natural disasters, so a property’s ZIP code tends to be a strong indicator of risk. 

In contrast, cyber CAT risk arises from shared technology dependencies among insureds. These dependencies typically take two forms:

• Digital resources and providers: Cloud infrastructure or services (Amazon Web Services), cloud storage systems (Google Drive), and internet infrastructures (domain name servers)
• Software products: Email servers (Microsoft Exchange) and IT software (Kaseya or SolarWinds)

If a provider goes down or a software becomes vulnerable, all companies that depend on the shared technology can experience loss.

Frequency Of Claims Drives Cyber CAT Risk

In insurance, natural disasters are defined through a loss threshold: If the losses exceed a certain dollar amount, then a disaster is deemed catastrophic. A natural disaster like an earthquake or hurricane affects the severity of claims, as the property damage will be extreme in a certain area.

In contrast, frequency of claims defines cyber CAT. Cyber CAT risk arises when technological interdependence creates the potential to originate a widespread cyber attack on many organizations simultaneously. Events with cyber CAT potential affect a large number of insureds, but there isn’t necessarily increased severity per claim compared to attritional losses. 

Read More: Cybercriminals Targeting Vulnerable Businesses in the Wake of Natural Disasters | What Businesses Need to Know

Cyber CAT Risk Affects Dynamic Digital Assets

The type of loss incurred by a natural catastrophe is very different from the loss experienced during a cyber CAT event. Property losses caused by natural disasters are static and fairly easy to quantify, because property is stationary and doesn’t tend to change unpredictably.

However, the assets at risk in a cyber attack are digital rather than physical, including intangible events like business interruption and data breaches. Unlike physical properties, digital properties are dynamic and not always quantifiable. For that reason, newly exposed digital assets can emerge continuously and unpredictably in a cyber CAT event.

Most Cyber CAT Events Are Cascading

Natural catastrophes are often singular events in which the damage is incurred at the same time, such as an earthquake or hurricane where the resulting physical damages are immediately measurable. Singular events with cyber CAT potential are uncommon and haven’t yet actualized severe losses. Singular cyber CAT events occur when a shared resource goes offline and causes immediate disruption for all users. For example, when an AWS data center goes down, many companies relying on that data center to operate instantaneously experience an interruption to their operations. 

Most cyber CAT events, on the other hand, tend to unfold in a cascading pattern. They’re more comparable to a pandemic than a natural disaster. For example, when COVID-19 broke out, it took months for the virus to spread (or “cascade”) from person to person, even though most people were at risk of infection. The cascading nature of the pandemic provided time to try to slow the pace of the spread and protect individuals from infection with masks, travel bans, social distancing, and vaccines.

Cascading cyber CAT events have significant damage potential, but there is time to intervene and mitigate them as they unfold. When a new vulnerability arises in a widely used software or digital resource, it affects a large population due to technological interdependence — but attackers still have to go after organizations one by one to exploit the vulnerability. Even sophisticated attackers with automated attacks need time to take advantage of a vulnerability at scale, which creates the opportunity to mitigate the risk.

Active CAT Management Is The Most Effective Way To Manage Cyber Risk

The insurance industry hasn’t yet emerged with a consistent standard for managing cyber CAT risk. Many insurers approach it with the same fixed mindset as natural catastrophic risk, which often means waiting for the event to unfold without taking any proactive mitigation steps. Two undesirable outcomes can arise from this approach:

• Significant CAT load on most policies today in the market. Cyber is viewed as a catastrophe-prone line, meaning much lower loss ratios are expected in normal years to compensate for a catastrophe-prone year. This significantly drives up the price of policies.
• Policy language that excludes CAT risk. To eliminate the tail risk for cyber CAT risk, insurers transfer that risk back on the insured through a widespread vulnerability exclusion.

Taking a passive approach to cyber CAT risk creates an inferior cyber insurance product. Instead, cyber insurers should maintain an up-to-date view of the evolving threat landscape and of the digital assets they insure to enable timely action that can prevent a significant cyber event from developing into catastrophic losses.

At-Bay believes Active CAT Management is the most effective way to mitigate cyber CAT risk. Active Cat Management is the practice of mitigating cyber events with CAT potential before they materialize significant loss. With the right data, technology, and interventions, insurers can take advantage of the time gap created by the cascading nature of cyber CAT risk to effectively manage exposure and significantly lower losses.

Read more about Active CAT Management →

About the Author

Emma Ye serves as the VP of Risk at At-Bay, the InsurSec provider for the digital age. She oversees risk management, rate plan development and implementation, portfolio performance analytics, and the design and production of the underwriting engine. Ye directs the Risk team, which she built from the ground up starting in early 2021, establishing multiple core functions in a short time period to support At-Bay’s high growth rate through daily operations as well as high stake milestones.

Prior to At-Bay, Ye was the lead predictive modeler at CyberCube, where she built a cyber-attritional loss and catastrophic model. Before that, she spent seven years working on property and casualty lines and pension benefits at Aon.