Cybersecurity experts deem widespread malware incidents and severe impact from cloud outage events to be tangible scenarios, judging the effectiveness of mitigation measures.
CyberCube and Munich Re, both leading providers in their field of cyber risk, analytics and insurance, have published the main findings of a joint study on severe cyber accumulation events and the relative resiliency of organizations to systemic events due to effective mitigation measures.
The survey gathered insights from 93 seasoned cybersecurity professionals. The results provide a nuanced view of how systemic cyber events might unfold and of the factors that drive wide variation in risk exposure across firms:
Widespread Malware Risk
According to the majority of responding experts, a severe malware event could infect a quarter of all systems worldwide, but they agreed in that case only 15% may be fully compromised. Experts do not see an event where more than 50% of the world's systems are completely compromised. Based on the experts' judgement, another event on the scale of WannaCry and NotPetya would not be seen as surprising. Patch management, network segmentation, and data backups are identified as the most effective mitigations that organizations have against widespread malware attacks. When done effectively, such mitigations can reduce the chance of being affected by a widespread malware attack by 50% to 80% and reduce the financial impacts from such an event by a similar amount.
Cloud Risk
Cybersecurity experts expect broad cloud outages to last hours to days; outages beyond 72 hours are considered unlikely but not impossible. Findings show at least a medium level of dependency on cloud services across most industries with companies' business-critical operations increasingly reliant on them. Reliance tends to decrease with increasing company size. Financial losses scale with cloud outage duration: Respondents reported that a single-day outage of their most critical Cloud Service Provider (CSP) would likely result in a financial loss equal to 1% of their yearly revenue. Variation in losses reflect differences in dependency on the cloud, based on an organization's size, sector, and contingency planning.
The most effective mitigation against cloud outages is to establish a multi-region architecture with the CSPs used for critical business applications. Having multiple CSPs was not found to be effective; the option to transfer service from one CSP to another during an outage was seen as unfeasible. Cyber Experts surveyed rate Azure, AWS and Google as the best prepared to mitigate against a major cloud outage and to recover from such an event.
Emerging and Systemic Risks
Experts believe that new technologies will begin to affect the threat landscape at about the same pace that they are being adopted in cybersecurity practices. According to cybersecurity experts, in the near term Industrial and Consumer Internet of Things (IoT) devices pose the biggest concern. Large Language Models (LLMs) are regarded as having an impact now while Artificial General Intelligence (AGI) is seen as a greater concern in five or more years.
A fundamental challenge in cyber risk modeling is the deficiency of concrete tail-risk events, such as systemic malware or multi-region cloud outages. The joint survey represents the best attempt to parameterize plausible worst-case scenarios and establish expert consensus. Its objective was to advance market understanding, particularly concerning risk mitigation strategies for systemic cyber events. The results add credibility to CyberCube's model forecasts and further improve Munich Re's internal model and accumulation risk understanding.
Jon Laux, Vice President of Analytics at CyberCube, said: "By sharing the findings of our study on systemic cyber risks, we aim to provide a more nuanced view of how systemic cyber events might unfold and the factors that drive wide variation in risk exposure across firms."
Stephan Brunner, Senior Cyber Actuary at Munich Re, said: "Our ambition is to improve the understanding of possible extreme malware and cloud events alongside the effectiveness of mitigation measures by sharing the insights of our study. In collaboration, Munich Re aims to further strengthen expertise on systemic cyber risks and advance cyber accumulation modeling."
The research has contributed to a more refined understanding of the relative resiliency of organizations to systemic events and the key variables that influence an organization's ability to withstand such incidents. These findings represent an important input into CyberCube's and Munich Re's evolving view of cyber risk and help inform ongoing enhancements to their modeling approach. CyberCube has incorporated these insights into Version 6 of its risk aggregation platform, Portfolio Manager. Modeling cyber accumulation is a joint effort across the entire insurance industry. For this reason, the key findings of the survey are being published to foster dialogue in the market. This study is the third of its kind, CyberCube and Munich Re plan to conduct another study in 2026. Interested cybersecurity experts are invited to participate.
Read the report summarising the full study here Key insights into systemic cyber risk
CyberCube is the leading provider of software-as-a-service cyber risk analytics to quantify cyber risk in financial terms. Driven by data and informed by insight, we have harnessed the power of artificial intelligence to supplement our multi-disciplinary team. Our clients rely on our solutions to make informed decisions about managing and transferring cyber risks. We unpack complex cyber threats into clear, actionable strategies, translating cyber risk into financial impact on businesses, markets, and society as a whole.
The CyberCube platform was established in 2015 within Symantec and now operates as a standalone company. Our models are built on an unparalleled ecosystem of data and validated by extensive model calibration, internally and externally. CyberCube is the leader in cyber risk quantification for the insurance industry, serving over 100 insurance institutions globally. The company's investors include Forgepoint Capital, HSCM Bermuda and Morgan Stanley Tactical Value. For more information, please visit www.cybcube.com or email info@cybcube.com.
Munich Re is one of the world's leading providers of reinsurance, primary insurance and insurance-related risk solutions. Munich Re is globally active and operates in all lines of the insurance business. Since it was founded in 1880, Munich Re has been known for its unrivalled risk-related expertise and its sound financial position. Munich Re leverages its strengths to promote its clients' business interests and technological progress. Moreover, Munich Re develops covers for new risks such as rocket launches, renewable energies, cyber risks and artificial intelligence. In the 2024 financial year, Munich Re generated insurance revenue of €60.8bn and a net result of €5.7bn. The Munich Re Group employed about 44,000 people worldwide as at 31 December 2024. For more information, please visit www.munichre.com.
View source version on businesswire.com: https://www.businesswire.com/news/home/20250715840740/en/
Contacts:
For media inquiries, please contact:
CyberCube: Yvette Essen, Head of Communications Market Engagement,
yvettee@cybcube.com, +44 (0)7956 877 206
Munich Re: Irmgard Joas, Group Media Relations, ijoas@munichre.com, +49(0)89 3891 6188
