Aggregate Cyber Risk: An Essential Guide for Security Professionals

Risk Aggregation in Cybersecurity is a New Phenomenon that Needs a Data-Driven Approach

The Concerns with Aggregate Cyber Risk

Risk aggregation is the act of grouping compounded risks together to understand the total risk to an institution, region, or industry. Aggregate risk becomes catastrophic when multiple risks come together to create a single devastating incident that can affect a considerable number of policyholders. Cyber risks have become an increasing concern due to the potential compounding factors. The worry is that a massive cyber attack could lead to an unmanageable chain of technological events that could have catastrophic outcomes.

The Role of Security Professionals in Cyber Aggregation

In their desire to avoid catastrophic outcomes, security professionals often become trapped in the scaremongering of clickbait headlines related to cyber risk. To be proactive in securing institutions, there are specific security controls that security professionals can put in place to minimize the impact of aggregate cyber risks. The professionals need to understand two things; cybersecurity risks are always evolving and that cyber risk aggregation does not need to be catastrophic.

Cyber Risk is Volatile and Dynamic

Cyber risks are always evolving, and new vulnerabilities appear daily, making it quite challenging to predict how a specific risk will change. For instance, the dynamic nature of Common Vulnerabilities and Exposures (CVEs) is set to grow by 13% from 2022-2023. This growth may continue as new technologies emerge and researchers enter the field. However, the increasing volume of CVEs should not frighten security professionals, as there is a limit to the number of vulnerabilities that can be exploited. Attackers can only target a specific number of organizations. The speed of detection is also increasing, and new patches and software updates resolve newly detected issues.

A Data-Driven Approach to Modeling Cyber Risk

Using the right data and technical expertise, cybersecurity risks are manageable and can be adequately underwritten. Surprisingly, more data exists on cybersecurity risks globally than any other risk. Leveraging on this data can significantly impact aggregate cyber risk’s impact on companies. A simulation modeled against a sample of 5000 top-growth US companies discovered that a cyber event with a one-in-250-year likelihood could cost over $370 million in losses. If extrapolated across the entire US economy, a catastrophic cyber event could total up to $30 billion in losses.

Managing, not Eliminating Cyber Risk

The goal of managing aggregate cyber risks lies in becoming comfortable with change and chipping away at the unknowns. Cyber risk is unpredictable, and we cannot entirely prevent catastrophic events. As such, insurance providers must be willing to adapt to new cybersecurity risks and deploy appropriate mitigation strategies to combat emerging threats.

Editorial and Advice

Security professionals must avoid the clickbait headlines that create more risk than educate on known vulnerabilities. The unpredictable nature of cyber risks can make it overwhelming for these professionals, and it is better to prioritize risk areas and address them first. The industry needs to develop a broader C-suite conversation to address risk in a more impactful way. It would be best if CFOs could evaluate risk in dollar amounts and purchase relevant coverage. Further research needs to focus on how to understand emerging cyber risks and develop relevant mitigation measures that can keep institutions safe.