Executive Summary: Defining Cyber Catastrophes for Practical Application in the Insurance Sector

This paper introduces a refreshed, insurer-focused definition of a cyber catastrophe, designed to support clarity, consistency, and effective risk transfer across the cyber insurance market. The objective is to contribute constructively to the industry-wide discussion and provide a foundation that helps insurers identify, model, and manage the most financially consequential cyber scenarios.

In shaping this definition, we examined how cyber incidents develop, the vulnerabilities and techniques involved, and the factors that drive widespread aggregation of loss. Our analysis of historical events highlighted a persistent challenge: the term “event” is interpreted differently by cybersecurity practitioners and insurance professionals. To bridge this gap, we aligned insurance-focused thinking with cybersecurity classifications and developed a structured method for grouping affected organizations within a single, coherent event construct for insurance purposes.

A Working Definition of Cyber Catastrophe

A cyber catastrophe can be described as an infrequent cyber incident that generates severe financial loss, operational disruption, injury, or property damage across a large population of insured cyber exposures. Such an event typically begins with the disruption of a critical technology or service provider and propagates wherever technical or operational conditions allow.

Technology-driven cyber catastrophes commonly develop through three stages:

• Expansion, during which the event rapidly spreads and accumulates losses
• Remission, where the pace of loss begins to slow
• Transition, when the event degrades into recurring or attritional loss patterns

This lifecycle may extend from one month up to six months and provides a practical reference point for defining applicable time windows, including the basis for cyber hours clauses in reinsurance contracts. Importantly, this definition avoids dependence on attribution, and applies regardless of whether coverage is affirmative or silent.

By emphasizing the impact of the event on insured organizations rather than the identity or intent of the attacker, this approach places financial consequence at the core of modeling and portfolio management.

Introduction: Understanding Cyber Catastrophes

Cyber risk is inherently systemic. A single incident can cascade across interconnected systems and generate losses spanning large sections of one or more insurance portfolios. While significant progress has been made in cyber risk modeling, inconsistencies remain in how the industry defines fundamental concepts such as “cyber event” and “cyber catastrophe.”

In traditional natural catastrophe modeling, standardized definitions guide the assessment of frequency, severity, and loss accumulation. Cyber catastrophes, however, introduce additional layers of complexity. The novelty of cyber insurance as a product, combined with the relative rarity of truly large-scale systemic cyber events, means that modeling must often rely on extrapolation from observed incidents and hypothetical scenarios.

Defining Catastrophe in an Insurance Context

Catastrophes are generally understood as low-frequency, high-severity events affecting a large number of exposed entities. While this concept works well for natural disasters, its application to cyber risk is complicated by the diverse and rapidly evolving nature of cyber threats.

Cyber losses may stem from a broad spectrum ranging from unintentional service outages to coordinated exploitation campaigns targeting widely deployed technologies. Both can meet the core criteria for catastrophe from an insurance perspective, even if their technical origins differ significantly.

Attribution introduces further complexity. Multiple claims across jurisdictions may originate from the same underlying vulnerability or method, yet assigning them to a single event based on threat actor identity alone is neither practical nor necessary. Instead, greater relevance lies in the shared vulnerabilities, tools, and techniques that define the underlying campaign.

Campaigns and Hostile Cyber Activity

A campaign can be described as a series of attacks leveraging common vulnerabilities and methods. This construct allows insurers to identify event commonality without reliance on definitive attribution. Additionally, emerging industry discourse differentiates between categories such as criminal activity, hostile cyber activity, and state-sponsored operations, acknowledging the challenges of accurately identifying threat origins.

The 2017 NotPetya incident exemplifies these complexities. Although widely associated with geopolitical conflict, the defining characteristic from an insurance standpoint was the scale and nature of impact, not the identity of the attacker. The lack of economic motive and destructive payload behavior allowed for classification as hostile cyber activity based on outcomes alone.

Defining a Cyber Event for Insurance

Cybersecurity professionals and insurance experts adopt fundamentally different perspectives. Cybersecurity specialists define events through technical markers such as tools, methods, and threat actor behavior over potentially prolonged periods. In contrast, insurers define events based on loss behavior, policy wording, and aggregation logic.

For insurers, a cyber event is any occurrence resulting in insured loss, regardless of malicious intent. Attribution may be relevant in specific cases such as nation-state exclusions, but it is not central to the core modeling process. Instead, the focus is on frequency, severity, and accumulation of claims.

The Emotet malware operation illustrates this divergence. While treated by cybersecurity experts as a single evolving campaign, insurance professionals would view each materially different loss scenario independently, especially when different financial and operational impacts arise. Furthermore, the long duration of the campaign complicates aggregation within a single event framework.

Refining the Definition of Cyber Catastrophe

A cyber catastrophe is an infrequent cyber incident that produces severe financial or operational damage across a significant number of insured entities. To reach a catastrophic scale, two conditions must be met:

1. Concentration of Exposure

A shared dependency must exist, such as a common service provider or critical technology relied upon by a broad segment of insureds. This allows classification into two primary categories:

• Service provider-driven events
• Technology-driven events

2. Propagation Potential

The event must demonstrate the capability to spread rapidly and uncontrollably. This may result from cyberattacks, technical faults, misconfigurations, or operational failures. Key contributors to widespread impact include automated propagation and minimal user interaction requirements.

Service provider events typically have defined temporal boundaries, aiding structured analysis. Technology events are more complex, as they often transcend geographic limits and persist over extended periods.

Observations on Attack Spread

Not all entities using a common technology will suffer loss. Only a fraction typically becomes affected. Higher virality is associated with automated exploit mechanisms requiring little or no user interaction. Human-dependent attack vectors exhibit lower probability of large-scale propagation.

The Conficker incident exemplifies this behavior, spreading rapidly via automated vulnerabilities and infecting millions of systems within months. Despite never becoming a formal insurance event, it demonstrated the structural characteristics of a cyber catastrophe.

Time Considerations and Hours Clauses

Reinsurance frameworks rely heavily on clearly defined event durations. In natural catastrophes, hours clauses define boundaries for loss aggregation. In cyber, no such standard currently exists.

Our analysis suggests that the most impactful phase of technology-driven cyber catastrophes generally occurs within a one-to-six-month timeframe, influenced by the balance between infection velocity and remediation rates. This provides a realistic basis for establishing cyber hours clauses and differentiating catastrophic loss phases from ongoing attritional losses.

Impact-Based Modeling for Cyber Catastrophes

An impact-focused modeling approach centers on the measurable consequences for insured entities. This approach recognizes that every cyber catastrophe begins with failure or disruption in either a service provider or a technology.

Three primary dimensions guide this framework:

• Commonality of vulnerabilities and exploitation techniques
• Propagation capability and virality
• Impact on confidentiality, integrity, and availability of systems and data

This structure supports consistent treatment of both service provider and technology-related events and enables modeling of heterogeneous losses without dependency on attribution.

Financial Consequence and Coverage Alignment

By linking material impact to cost components, this approach translates technical events into quantifiable financial loss. These cost components correspond with coverage structures and support management of both silent and affirmative cyber exposures under varying policy wordings.

This framework seeks to harmonize cybersecurity expertise with the practical requirements of the insurance industry. By providing consistent definitions and a structured approach to evaluating cyber catastrophes, it enables more transparent, defensible, and efficient risk transfer.

As debate and regulatory evolution continue, this methodology offers insurers a stable reference point for understanding, modeling, and managing cyber catastrophe risk while supporting the broader objective of sustainable market development.