As cyber risk continues to escalate in scale and complexity, to help the growing cyber insurance market understand the risk in its broadest sense, Moody’s is proud to announce a major milestone in our cyber modeling capabilities with the upcoming release of Moody’s RMS Cyber Solutions Version 9.0.
This release reflects the deepening strategic partnership between Moody’s and Bitsight. It brings together best-in-class cyber risk analytics and a robust modeling framework to help (re)insurers better understand, price, and manage catastrophic cyber events, especially those involving cloud service provider (CSP) outages.
Within version 9.0, and at the center of our CSP risk modeling, is the integration of Bitsight’s cloud dispersion analytics dataset, which offers unparalleled visibility into cloud provider and service region concentration as well as technology dependencies across bespoke insurance portfolios.
Bitsight’s cloud dispersion dataset powers key model enhancements, including the ability to assess asset importance—a nuanced metric based on factors such as system usage, special certificates, egress IPs, and the criticality of services hosted. This level of granularity within Bitsight’s raw cloud dispersion data allows insurers to understand potential systemic failure points and respond to those failures as they arise.
In addition, version 9.0 refines the existing cloud service adoption model, leveraging Bitsight’s observed usage data to estimate the probability that companies graded by size and sector rely on major CSPs like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, and their specific regions and services.
This helps underwriters, reinsurers, and risk managers pinpoint where cloud concentration risks exist and understand how such dependencies could impact catastrophic cyber (re)insurance losses.
Figure 1: Bitsight’s Cloud Dispersion Analytics across the largest ~1M companies broken down by country. Data is available on unique portfolios to understand cloud concentration risk based on provider and region.
With Bitsight’s data now tightly woven into the Moody’s RMS cyber risk modeling framework, (re)insurers can more accurately assess concentration risks, respond to such events, and inform strategic decisions across the insurance value chain.
Figure 2: An illustrative view of Bitsight's fourth-party data, showing a firm with a pronounced activity reduction over 20 hours, a period beginning shortly after the problematic patch was released by CrowdStrike. After these 20 hours of reduced activity, we see the signal returns to levels within the modeled bounds of what is deemed “normal” (blue line and shading).
These cloud modeling enhancements arrive at a critical moment. The CrowdStrike outage in July 2024, illustrated in the figure above, impacted CSPs for around 24 hours, highlighting the reality of large-scale disruptions stemming from vendor failures and a need for actionable insights to measure portfolio exposure, estimate downtime, and model resilience.
In addition to impacting the model, the cloud dispersion data and the fourth-party analytics are available for use in bespoke portfolios of (re)insureds, unlocking both cyber event response and in-house modeling applications.
Beyond these new cloud-specific capabilities, Moody’s RMS Cyber Solutions version 9.0 is built on a comprehensive, probabilistic framework to offer a unified view of cyber risk, covering catastrophic and attritional losses across IT and cyber-physical perils.
The five-peril model spans a full spectrum of attack vectors, including data exfiltration, denial of service, cloud service provider failure, contagious malware, and financial theft, among others, and supports analysis at every level. The Moody’s cyber risk model has continued to evolve with the threat landscape to help (re)insurers quantify their losses, including contract terms and conditions.
Our data model captures the critical attributes necessary to perform this analysis and can leverage Moody’s Orbis data to fill in firmographic gaps where they exist. We see version 9.0 as a transformative release that reflects the power of combining Moody’s global modeling expertise with Bitsight’s industry-leading cyber risk telemetry, and together, we are providing the insurance industry with a differentiated, unified view of cyber risk—from underwriting to exposure management and beyond.
Cyber Solutions Version 9.0 is a transformative release that reflects the power of combining Moody’s global modeling expertise with Bitsight’s industry-leading cyber risk telemetry. Together, we are providing the insurance industry with a differentiated, unified view of cyber risk - from underwriting to portfolio, exposure management, and beyond.
Cyber risk is dynamic, but with Moody’s and Bitsight, it is also measurable, manageable, and (re)insurable.
LEARN MORE
Moody's insurance solutions
Our differentiated solutions bring together technology, data and analytics and insights, helping insurers, reinsurers, and brokers address their most complex challenges and make better decisions with confidence – therefore helping to close the insurance gap and drive performance.