Guy Carpenter US Cyber Industry Exposure Database 2025

Keypoints

• Typical structure of an annual cyber industry report: Executive Summary (high-level findings and headline metrics), Full Risk Landscape Commentary (threat trends, geopolitical and regulatory drivers), Methodology Detail (data sources, model architecture, assumptions, and limitations), Testing and Validation (premium/loss testing, ground-up vs. gross loss comparisons), Results and Tail Analysis (OEP/AEP curves, VaR statistics, sector accumulations), Future Work and Roadmap (model/version plans and extensions), Closing Remarks and Contributors.
• Executive Summary typically includes industry-size metrics, benchmark statistics (1-in-100, 1-in-250, expected loss), an overview of the OEP/AEP outputs, and key takeaways to guide stakeholders and risk-transfer decisions.
• Methodology sections usually break down: population definition (insured universe and take-up rates), policy-term assumptions by band, model baseline population and refinement, event catalog and accumulation paths, scaling/extrapolation approach, and validation/testing protocols.
• The IED defines scope as a US cyber-insured population using a bottom-up Cyence Model 7 approach and outputs industry loss ratios, written premium estimates, and OEP/AEP curves beyond a 1-in-50 return period.
• Population and data: Cyence holds firmographic/technographic detail on ~600,000 US entities, refined to ~200,000 for modeling; the project estimates ~4.97 million US primary cyber policies after scaling via take-up rates.
• Market scale: total estimated US cyber written premium is reported at approximately $9.52 billion (policy/calendar year 2024 basis as used in the exercise).
• Industry loss ratio: an estimated 53% industry loss ratio is presented, decomposed into ~42 percentage points of attritional (non-cat) losses and ~11 percentage points of catastrophic (tail) losses—illustrating a heavy attritional component alongside meaningful tail exposure.
• Tail modeling: Cyence Model 7 projects 11 accumulation paths to populate the tail beyond the 1-in-50 RP, explicitly including Hypervisor Outages, AWS/Azure Cloud Outages, and OS-based Mass Ransomware deployments; OEP (largest event) and AEP (aggregate year) curves are both provided for VaR analysis.
• Sector concentration: Manufacturing, Financial Services, and Retail Trade are identified as the sectors with the largest presence in extreme tail events and therefore key drivers of industry tail risk.
• Event taxonomy and evolving attack techniques: the report highlights persistent ransomware and Business Email Compromise (BEC), anticipates increased BEC frequency with AI adoption by attackers, and calls out single points of failure (SaaS/PaaS SPOFs), mass non-malicious software update incidents, and cloud/hypervisor outages as high-impact modern event types.
• Geopolitical and nation-state dynamics: the Ukraine conflict and US/Russia tensions are flagged as critical variables—a resolution could reallocate attacker resources elsewhere, while deterioration could increase nation-state–backed activity against US assets and insurers.
• Regulatory and programmatic shifts: material defunding and downsizing of US federal cyber programs is highlighted (e.g., CISA budget/workforce reductions, FedRAMP AI initiatives scrapped), which the authors view as increasing systemic uncertainty and potentially elevating exposure across insured portfolios.
• Scaling and extrapolation approach: Cyence applies controlled, per-event, per-revenue-band and per-sector scaling to extrapolate catastrophe tail behavior from the modeled universe to the full US insured population—acknowledging uncertainty in SME scaling and advocating transparency in methodology.
• Model governance and transparency: the paper emphasizes that a single curve without construction detail is insufficient, arguing for full transparency around assumptions, event narratives grounded in historical observations, and iterative model improvement to build trust with stakeholders.
• Validation and testing: the report includes testing across written premium, loss ratio, and ground-up vs. gross loss comparisons to align model outputs with market-level statistics and to ensure internal consistency between exposure, policy terms, and loss outputs.
• Key takeaways on risk posture: high attritional losses combined with meaningful catastrophic potential imply elevated capital strain for the industry; cloud and platform outages and mass compromise events require focused accumulation management, while BEC and AI-driven social engineering are rising frequency risks.
• Product and market implications: model outputs support market exposure measurement, aggregation benchmarking, reinsurance/risk-transfer sizing, and pricing; the industry should prioritize clearer accumulation controls, data-driven underwriting, and scenario planning for cloud/SaaS systemic events.
• Planned evolution: Cyence Model 8 (phased in 2026) aims to extend domain mapping globally, add event sets (SaaS/PaaS SPOFs, mass non-malicious updates, BEC scenarios), introduce geo-granularity, and track industry influence over time—signaling a shift toward globalized, higher-fidelity IED products.
• Recurring themes and implications: persistent attack diversity (targeted and mass), the importance of model transparency and versioning, the need to monitor geopolitical and regulatory shifts as systemic drivers, and the continued focus on cloud/platform single points of failure and social engineering as primary operational risks.
• Actionable considerations for stakeholders: validate internal accumulation controls against the identified event sets, update underwriting and incident response playbooks for cloud and SaaS SPOFs, incorporate AI-driven BEC scenarios into frequency projections, and engage with model authors to understand scaling assumptions for SME populations.