CyberCube and Munich Re have collaborated on a survey of cybersecurity experts to advance the insurance industry's understanding of systemic cyber risks, focusing primarily on widespread malware and cloud outage events.

This initiative was designed to gather expert judgment in different areas of accumulation modeling where empirical data is limited or non-existent, to test and refine cyber catastrophe modeling assumptions, and to explore the practical realities of cyber resilience and mitigation.

With responses from 93 cybersecurity experts spanning a range of disciplines and industries, the study provides insights into potential impacts, attack vectors, and mitigation effectiveness. The results allow a nuanced view of how systemic cyber events might unfold and of the factors that drive variation in risk exposure across firms:

Widespread Malware Risk

According to the majority of responding experts, a severe malware event could infect a quarter of all systems worldwide, but they agreed in that case only 15% may be fully compromised. Experts do not see an event where more than 50% of the world's systems are completely compromised. Based on the experts’ judgement, another event on the scale of WannaCry and NotPetya would not be seen as surprising.

Patch management, network segmentation, and data backups are identified as the most effective mitigations that organizations have against widespread malware attacks. When done effectively, such mitigations can reduce the chance of being affected by a widespread malware attack by 50% to 80% and reduce the financial impacts from such an event by a similar amount.

Cloud Risk

Cybersecurity experts expect broad cloud outages to last hours to days; outages beyond 72 hours are considered unlikely but not impossible.

Findings show at least a medium level of dependency on cloud services across most industries with companies’ business-criticaloperations increasingly reliant on them. Reliance tends to decrease with increasing company size.

Financial losses scale with cloud outage duration: Respondents reported that a single-day outage of their most critical Cloud Service Provider (CSP) would likely result in a financial loss equal to 1% of their yearly revenue. Variation in losses reflect differences in dependency on the cloud, based on an organization’s size, sector, and contingency planning.

The most effective mitigation against cloud outages is to establish a multi-region architecture with the CSPs used for critical business applications. Having multiple CSPs was not found to be effective; the option to transfer service from one CSP to another during an outage was seen as unfeasible. Cyber Experts surveyed rate Azure, AWS and Google as the best prepared to mitigate against a major cloud outage and to recover from such an event.

Emerging and Systemic Risks

Experts believe that new technologies will begin to affect the threat landscape at about the same pace that they are being adopted in cybersecurity practices.

According to cybersecurity experts, in the near term Industrial and Consumer Internet of Things (IoT) devices pose the biggest concern. Large Language Models (LLMs) are regarded as having an impact now while Artificial General Intelligence (AGI) is seen as a greater concern in five or more years.

A fundamental challenge in cyber risk modeling is the deficiency of concrete tail-risk events. This survey helped to parameterize plausible worst-case scenarios and establish expert consensus. The findings represent an important input into CyberCube’s and Munich Re’s evolving view of cyber risk and help inform ongoing enhancements to their modeling approach.