Risk aggregation is not a new phenomenon. The insurance industry, for example, has long examined how shared assets and similarities between organizations in their books bundle potential risk. Risk aggregation is the grouping of compounded risks together to understand the overall risk to an organization, a region, an industry, and more. For example, if a hurricane hit a specific region, the potential property damage could result in a cluster of insurance claims; this is considered an aggregate risk.
Insurance providers have to consider both the implications of aggregate risk and those risks compounding to create a singular, catastrophic event that affects a large number of policyholders. Think of this like an insurer choosing to sell home insurance to everyone in a city, then a hurricane destroys every house in that city — it would lead to massive volumes of claims.
We haven't seen such an event in cyber yet, but the worry is that one massive cyber incident could result in an unmanageable chain of technological events that becomes catastrophic for businesses, even economies, around the world. And as cybercriminals get bolder, the possibility of compounding cyber-risk factors becomes a more significant concern.
However, aggregate risk plays out a little differently in cyber. During a hurricane, you cannot move the houses in the path of a hurricane to a different location to avoid damage. But organizations can implement specific security controls to help prevent a catastrophe during a cyber incident. Whether that's implementing defensive measures against distributed denial-of-service attacks, patching the latest severe vulnerability, or deploying applications to multicloud or regional clouds, there are many ways to reduce aggregate risk — and even avoid a catastrophe — in cyber.
When considering aggregate cyber-risk, security professionals shouldn't get caught up in clickbait headlines. They need to understand two things in order to proactively secure their organizations: One, cyber-risk is constantly changing, and two, when informed by data-driven insights, aggregate cyber-risk does not need to become catastrophic.
Cyber-Risk Is Volatile and Dynamic, But So Is Technology
Cyber-risk is ever-changing because new vulnerabilities crop up daily, making it especially hard to predict how risk will evolve. Case in point: Coalition estimates that the number of Common Vulnerabilities and Exposures (CVEs) will increase by 13% from 2022 to 2023. This number will likely continue to grow year-over-year as more researchers enter the field and more technology is introduced.
However, the rising number of CVEs should not scare security professionals into thinking all hope is lost. There is still a ceiling for the number of organizations that attackers can target and the volume of vulnerabilities they can exploit. The dynamics of the growing risk landscape parallel mitigation: Detection speeds are also increasing, and software updates and patches are getting released more quickly to resolve newly detected issues. Basically, we're getting smarter along with our attackers.
Instead, it would serve the industry to think about risk aggregation at a more personal, granular level: Address the most significant risk areas specific to your organization or industry first because that's often where the most pain can be inflicted.
Security professionals may also need to change how they typically discuss risk to make it a broader C-suite conversation. For example, communicating about risk in terms of dollar signs — not vulnerability severity scores — can help a CFO decide how much insurance coverage they should purchase.
A Data-Driven Approach to Modeling Cyber-Risk
The truth is that cybersecurity is manageable and can be properly underwritten, given the right data and technical expertise. Ironically, more data exists about cyber-risk than any other risk in the world. Using this massive amount of data to our advantage can help dramatically impact aggregate cyber-risk’s impact on organizations.
In a Coalition simulation modeled against a sampling of 5,000 top-growth US companies, we discovered that a cyber event with a one-in-250-year likelihood could cost more than $370 million in losses. When extrapolated across the entire US economy, a catastrophic cyber event could cost $30 billion in total losses.
But our model also uncovered that a catastrophic event is far more likely to be localized. Looking at aggregation technologies and vendors — the shared technology infrastructure on which aggregate cyber-risk is built — we can see that cyber-risks aren't as interconnected as you'd think. Assets aren't all located in the same homogeneous physical locations or virtual environments.
For example, if a cloud services provider were to go out, it's highly improbable that this would happen globally; it would more likely impact only a specific segment. While cloud computing providers operate hundreds of thousands of physical servers and millions of virtual machines around the globe, their infrastructure and operations are highly segmented, which would prevent the failure of any one element from spilling over to another.
It's Not About Eliminating Risk, but Managing It
We can't prevent a catastrophic cyber event or know the extent to which risk aggregation could be catastrophic, especially because there are no historical examples to guide the way. Cyber is a dynamic and complex type of risk, and insurance providers can't treat it with the same typical aggregation techniques used in the past.
Understanding cyber-risk starts with being comfortable with change and using the right skills and mindset to chip away at the unknowns. Cyber-risk is knowable and quantifiable, even if it will likely be unpredictable.