Verisk’s Property Claim Services (PCS), a provider of industry loss estimates and loss data globally, has designated the MOVEit cyber attack and the Change Healthcare cyber attack as PCS Cyber Catastrophe Loss Events, as reported first by our sister publication, Artemis.
For PCS to designate these cyber attacks as PCS Cyber Catastrophe Loss Events under its PCS Global Cyber solution, which monitors cyber attacks and potential cyber insurance market loss events and reports on them when they surpass USD 25 million in losses, it means they are each expected to drive insurance industry losses of more than USD 250 million.
The first to be designated a PCS Cyber Catastrophe Loss is the May 2023 MOVEit cyber attack. Hackers exploited a vulnerability in the MOVEit Transfer software product, and used it to steal files from organisations.
It’s believed that MOVEit was conducted by Cl0p, a Russian-affiliated cyber gang, which told victims of the hack that that they should negotiate a ransom payment, or face having their private data leaked.
After the cyber attack happened, UK firms such as British Airways, Boots, the BBC, EY, and Transport for London all cited as being affected, but data from cyber security firm Emsisoft claims that more than 2,700 organisations were impacted by the attack up to April 2024, many of which were US-based. In fact, as many as 90 million individuals are thought to have been affected.
With so many organisations and individuals impacted, the MOVEit breach was truly global, and the fact the insured losses have been building to the point PCS has designated it a cyber catastrophe, suggests re/insurance market losses of above USD 250 million, and potentially quite a bit above.
The second event, the Change Healthcare cyber attack breach, occurred in February of this year. It significantly impacted insurer UnitedHealth Group’s Optum division, resulting in an inability to make payouts to doctors and other health practitioners or institutions.
Across the U.S., pharmacies reported disruptions to their ability to process insurance claims payments, and in many instances, patients had to pay for services and medications themselves.
ALPHV/Blackcat, a well-known cyber criminal gang from Russia with a particular focus on ransomware, self-identified as the culprit of the Change Healthcare cyber attack.
UnitedHealth said that it expects between USD 1 billion and USD 1.15 billion in direct costs this year as a result of the attack, and forecasts a further USD 350 million to USD 450 million as a result of business disruption, including lost revenue.
This is another severe and far reaching cyber attack, and so it’s not too surprising that PCS has also designated this event as a cyber catastrophe, meaning insurance and reinsurance industry losses of at least USD 250 million.
The PCS Global Cyber product provides loss estimates for risk losses caused by cyber, via affirmative cover in a standalone cyber program or as part of a blended program that explicitly includes cyber, as well as for non-affirmative losses.
As explained by PCS, for an event to become a cyber catastrophe, it must also impact numerous insureds and multiple insurers. PCS reports both the affirmative and non-affirmative loss totals individually, as well as the insurance industry loss.
With the MOVEit and Change Healthcare attacks now designated as cyber catastrophe events, PCS will continue to monitor both, and will report on the level of industry losses related to each breach.
It’s notable as this is a rarity, and also because these are the first two events to be designated as cyber catastrophes since the arrival of the 144A cyber catastrophe bonds in 2023.
However, and as noted by Artemis, while the four 144A cyber cat bonds will have some exposure to the development of losses from these two attacks, at this stage, it seems these two cyber events will not aggregate to close to the level of losses that might be required to trigger a cyber cat bond.
