Author: Pratyush Uddagiri, Product Manager – Cyber Risk Modeling and Analytics, Moody’s
The cyber (re)insurance market entered 2026 at an inflection point. Global cyber insurance premiums, according to Munich Re’s Global Cyber Risk and Insurance Survey 2026, totaled close to $15 billion in 2025. As capacity continues to flow into the risk class, the market is expected to expand to $28 billion by 2030.
Recently, strong profitability has driven competition, softer pricing, and broader terms across most of the market. Yet Moody's Ratings recently noted that systemic risk remains the defining concern for cyber underwriters—one that softer market conditions do little to address.
While 2025 did not produce a true systemic event, it did show how a concentration in shared providers and infrastructure can drive portfolio losses across multiple insureds at once.
Major cyber events in 2025
When Jaguar Land Rover’s (JLR) production lines stopped on September 1, 2025, due to a cyberattack, the disruption rippled through three of its U.K. plants, a plant in Slovakia, and a supplier base of more than 100,000 workers.
By the time car production resumed five weeks later, the U.K. Cyber Monitoring Centre (CMC) had estimated the financial impact at roughly £1.9 billion ($2.58 billion)—the most economically damaging cyber event in U.K. history.
JLR was not an outlier. Earlier in the year, coordinated attacks on U.K. retailers Marks & Spencer, Co-op, and Harrods were classified by the CMC as a single ‘Category 2’ systemic event with a financial impact between £270 million and £440 million ($367-$600 million).
In October 2025, a 15-hour Amazon Web Services AWS US-EAST-1 outage was not caused by a cyber-attack but triggered by a DNS race condition, a software flaw that occurs when multiple threads or processes access and manipulate shared data simultaneously. This outage disrupted services at thousands of companies, including Lloyds Banking Group, HMRC, Slack, and Atlassian. Read a blog from Afsar Ali here.
Each of these events differed in cause, but they share a common signature: losses propagating through shared technology dependencies that traditional portfolio views struggle to make visible.
That signature is the central challenge in cyber portfolio management today, with the new Moody's RMS™ Cyber Solutions Version 10.0 looking to provide a clearer view of cyber concentration risk.
Why cyber portfolios are getting harder to explain
Cyber insurers are not dealing with a static risk environment, and in particular, the window between vulnerability disclosure and exploitation continues to shrink.
Google Mandiant's M-Trends 2025 report found that vulnerability exploitation remained the leading initial attack vector for the fifth consecutive year.
Sophisticated threat actors are increasingly weaponizing flaws within hours of disclosure, and in some cases before they go public. This is in part due to wider access to AI-enabled tools that can help identify vulnerabilities and help accelerate exploit development.
At the same time, increasing reliance on cloud infrastructure and a relatively small group of technology providers is creating new forms of accumulation risk that are not always visible through traditional portfolio views.
The recent market events, including attacks on Marks & Spencer, Co-op, and Harrods, and disruption associated with incidents such as at U.S. auto dealer CDK Global, have reinforced this point, highlighting the need for better ways to quantify concentration, business interruption potential, and severe but plausible provider disruption scenarios.
Earlier versions of the Moody’s RMS Cyber Solutions Model have helped the market build a more structured view of cyber catastrophe risk, with Version 10.0 now intended to help clients answer some of the questions they are increasingly being asked:
- What subsets of a portfolio are likely exposed to niche software?
- How might disruption involving a named technology provider affect portfolios?
- How should cyber tail risk be explained internally when cloud dependency, software concentration, and attacker capabilities are all evolving simultaneously?
Through updates to the probabilistic model and new deterministic scenario catalogs that allow clients to examine specific forms of concentration and provider disruption in a more structured way, Version 10.0 helps to increase understanding around these issues.
New scenarios, stronger outage analysis, and a refined threat view
One of the most important additions in Version 10.0 is the introduction of two deterministic scenario catalogs: a multi-client targeted attack catalog and a technology provider catalog.
Together, these catalogs give clients a more complete way to examine dependencies within a portfolio, making scenario-based stress testing more useful for internal communication, validation, and resilience planning.
The multi-client targeted attack (MCTA) catalog helps users examine targeted events that have relatively contained footprints but still generate outsized losses, the kind of small-perimeter, high-severity events seen in the recent U.K. retail wave.
Working with our Moody's Cyber Industry Steering Group members, we have recently published a white paper on the challenges of modeling MCTA events.
The technology provider catalog supports stress testing against disruption involving specific technology providers and helps clients assess where concentrations may sit within a portfolio.
Another important development in Version 10.0 is cloud-outage modeling. Building on our prior work on accidental cloud service provider outages in previous models, we have rebuilt the event set in Version 10.0 to expand coverage of possible malicious cloud outages.
With our bespoke in-house event data capture, we then use BitSight cloud dispersion data to help inform a more representative view of outage footprints and recovery behavior. This provides a more complete and representative view of the frequency and severity of these events, to better understand how cloud-related disruption can propagate across portfolios and how outage risk may affect loss potential.
Version 10.0 also advances the network intrusion view of risk. The model incorporates newer threat intelligence inputs, including BitSight cyber threat intelligence, and a new consensus algorithm that helps create a more consistent view across multiple data sources.
The threat actor module also accounts for the observed acceleration in exploit development timelines, likely driven by access to AI tooling. Together, these updates support a more refined view of threat actor behavior, vulnerability exploitation, and insights into how severe cyber events can unfold.
How Version 10.0 supports underwriting and portfolio decisions
For portfolio managers, underwriters, and reinsurers, the practical significance of Version 10.0 is not simply that the model has been updated; it is that certain questions should now be easier to explore with more confidence.
Clients can better examine how disruption involving specific providers could affect portfolio views, assess where horizontal and vertical technology concentrations may sit within a portfolio, and use scenario analysis to support discussions around pricing, accumulation, and capital allocation. The completely rebuilt cloud outage view also provides a stronger basis for evaluating catastrophe layers influenced by cloud service provider risk.
There is also an operational benefit. Version 10.0 introduces workflow improvements to scenario analysis, including the ability to assess multiple scenarios more efficiently and extend automation through APIs. For teams that need to run repeated stress tests or compare multiple deterministic scenarios regularly, this delivers a more streamlined process for ongoing portfolio review.
Making cyber concentration easier to examine
A recurring challenge in cyber risk management is that concentration is often discussed in broad terms but not always measured with enough specificity. In practice, portfolio exposure may be shaped not only by dependence on the major hyperscalers but also by reliance on software and service providers that sit deeper in the technology stack or play concentrated roles within sectors and business functions.
Version 10.0 has been developed to help make those dependencies more visible and support a more grounded assessment of where cyber accumulation risk may sit.
That matters because cyber risk is increasingly a board-level issue. The ability to move from general concern to more structured analysis is important not only for underwriting and reinsurance decisions, but also for internal validation, risk communication, and broader portfolio steering. Version 10.0 is intended to support that shift with a stronger data foundation, broader scenario capabilities, and a more current representation of how cyber events develop and scale.
Looking ahead
Version 10.0 is a significant model update with newer analytical tools and a more developed view of several core cyber loss drivers. As cyber risk continues to change, model development must reflect new data, dependencies, and new forms of systemic exposure by leveraging best-in-class modeling.
With Version 10.0, Moody’s is extending that work to help clients assess cyber risk with greater clarity and use that insight to support more informed decisions across underwriting, portfolio management, and risk transfer. Contact your Moody's account representative to find out more.