Luck will run out: CyberCube outlines a $40bn cyber cat scenario
The cyber market has yet to experience its first true catastrophe, but the building blocks for such an event are already visible. Hence why Convergence 2025’s agenda featured a standalone Cyber panel for the very first time.
As there are yet to be any cyber catastrophe events, the risk landscape is difficult to quantify. Brittany Baker (pictured left), head of solution consulting & ILS at CyberCube, explained that modelling teams often look at historic attacks through a “counterfactual” lens — asking what might have happened if just a few variables had been different.
One of the most instructive examples is WannaCry, the 2017 ransomware outbreak that hit hundreds of thousands of systems worldwide. She noted that even though WannaCry resulted in limited insured losses, a handful of small changes could have turned it into a multi-billion-dollar cyber catastrophe. Microsoft had been tipped off to the vulnerability two months before the attack and issued a patch, giving many firms time to protect themselves. “If that early warning hadn’t happened, the footprint could have been a lot bigger,” Baker said. Without that head start, “we increased that to around $2 to $4 billion.”
Then came the second stroke of luck: a kill switch embedded in the code. “The responders got lucky. Someone stumbled upon the kill switch within hours of this attack happening,” she said. “So what if that kill switch hadn’t existed, or we just didn’t find it fast enough?” The result, she estimated, would be a jump to “$4.5 to $7.5 billion.”
And that’s still not the worst-case scenario. If the vulnerability had been a true “zero day” — one entirely unknown to Microsoft until the moment of attack — the potential losses soar. “Now we’re looking at $9 to $14 billion,” Baker explained. “And then what if you just upped the sophistication of those threat actors? … You’re looking at $28 to $41 billion.”
Those numbers matter in the ILS and reinsurance worlds because cyber cat bonds have been structured around triggers starting at roughly $5 billion in industry losses. “You can see how, with relatively small tweaks — no early warning, no kill switch or a bit more sophistication — an event that didn’t touch the insurance market at all could suddenly pierce those levels,” she said.
For now, cyber remains an untested peril for ILS investors. But Baker’s analysis underscores just how thin the margin is between a manageable event and a market-changing loss. “All of those impacts are somewhat small changes,” she said. “And that’s how you get from something that didn’t impact the insurance industry at all to peak peril.”
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.
