New modelling has found the most likely scenario for cyber catastrophe loss is widespread data theft from a major email service provider, followed by large-scale ransomware at a leading cloud service provider.

Business interruption costs, caused when supply chains stall or factories are offline, made up more than 90% of the insured costs in those scenarios, according to a joint study by Marsh & McLennan subsidiary Guy Carpenter and CyberCube Analytics.

The joint report explored 23 catastrophe loss scenarios and their resulting financial impact, giving potential insured-loss figures.

According to the findings, the total annual cyber catastrophe insured loss figure for a 1-in-100-year event would be $US14.6 billion ($21.42 billion), rising to $US16.1 billion ($23.62 billion) for a 1-in-200-year event.

The study revealed that the highest potential loss value generators are:

• Long-lasting outage at a leading cloud service provider – $US14.3 billion ($20.98 billion) loss
• Large-scale cloud ransomware at a leading cloud services provider – $US11.5 billion ($16.87 billion) loss
• Widespread data loss from a leading operating system provider – $US23.8 billion ($34.92 billion) loss
• Widespread theft from a major e-mail service provider – $US19.1 billion ($28.02 billion) loss
• Large-scale data loss from a cloud service provider – $US22.2 billion ($32.57 billion) loss.

The costliest scenario – widespread data loss from a leading operating system provider – also had the lowest likelihood of this occurring, at beyond 1-in-300-years.

“Through improved data and enhanced analytics, (re)insurers can gain a much more granular understanding of these high-impact scenarios, enabling them to allocate capital appropriately and develop more nuanced underwriting strategies,” CyberCube Analytics CEO Pascal Millaire said.