What recent cyber incidents really taught us about cyber catastrophe risk

Author: Alex Mican, Director - Risk Management, Moody's

From Jaguar Land Rover, Amazon Web Services (AWS), Salesforce, Asahi Beer, retailers Marks & Spencer and the Co-op in the U.K., to billion-dollar cryptocurrency heists at Dubai-based cryptocurrency exchange Bybit, 2025 offered no shortage of high-profile companies caught up in cyber events.

Seemingly happening whenever, wherever, no business sector seems immune to the global reach of a cyber-attack, and this constant flow of events can give the impression of an unrelenting threat environment.

For the cyber insurance-linked-securities (ILS) market, looking to provide capital to cover major, end-of-the-tail events, this background noise can obscure the ability to distinguish between attritional events and truly systemic risk— potentially influencing how risk is evaluated and transferred by investors and cedents.

This disconnection between high-profile events that from the outside look devastating and the level of losses generated has prompted important questions from ILS investors and cedants about what these events really tell us about cyber catastrophe risk.

How can one distinguish between events that are more ‘normal’ and those genuinely systemic cat events that the insurance industry should worry about?

It’s easy to get caught up—a high-profile business is affected, and the headlines outline a significant impact caused by a cyber-attack. But that does not automatically equate to large losses for the insurance industry.

Many factors need to be considered, from the resilience of a business’s IT/digital infrastructure, how dependent a business is on its IT systems, the direct impact on production and sales, the consequences of IP or data theft, and so on.

Real-world model validation

Moody’s uses reported cyber events as a real-world ‘stress test’ and a moment to validate and recalibrate our cyber risk models, to see if our modeling matched the losses from the event.

Systemic cyber-attacks, attacks that spread from a single or contained group of organizations, through networks and software to engulf thousands, are fortunately rare.

Most individual cyber events will fall into the category of attritional losses, generating high-frequency, low-severity insurance claims, with insurers drawing from earnings rather than reinsurance layers and ILS bonds.

Even when events don’t scale, counterfactual analyses help validate model assumptions, such as propagation and resilience, and whether any new learnings can be incorporated into modeling, whether attack modes are changing, which new vulnerabilities have emerged, which sectors are the most at risk, etc.

Rise of non-malicious cyber events

What has been interesting over the past couple of years is an increase in non-malicious cyber events, arising from the rollout of faulty software updates or issues causing prolonged cloud outages.

With more than 10 years of cyber modeling experience, Moody’s adapts to the current cyber threat landscape while keeping an eye on the future. Cloud Service Provider (CSP) outage modeling has been refined over the last few years to deliver a very complete and representative view of CSP outages.

This CSP outage modeling has now fed into cloud dependency modeling—examining business sectors and their dependence on cloud services for business operations and sales.

Cloud dependency has been an important modeling innovation recently incorporated into Moody’s cyber risk models, which leverages firmographic inputs from Moody’s Orbis database.

Major CSP outage events, such as the ~14-hour AWS US-EAST-1 outage in October 2025, served as validation for this view of risk introduced by Moody’s Cyber Solutions Version 9.

Models examining tail risk must focus on cascading effects, not just initial triggers; the event’s initial cyber risk triggers amplified by media headlines may seem dire, but many events do not scale or are not systemic in nature. Through model validation, we can see where specific events lie in terms of tail-risk potential, and how most events fall into the ‘attritional’ zone.

If this blog suggests that recent events point toward reduced cyber tail risk, that’s not the case. It’s worth remembering that true tail-risk events remain (very much) plausible, still largely focused on large-scale cloud service provider outages, or contagious malware and systemic technology failures, scenarios that, although less frequent, are far more consequential.

What this blog underscores is a need for a continual, robust scenario analysis framework that helps focus on financial impact rather than media attention, so that a business can offer clear communication around event scope and significance.

Cyber risk will continue to generate attention-grabbing events. The real value lies in understanding which events meaningfully shift the loss curve—and why.

Find out more about Moody's Cyber Solutions for insurance and solutions for the Insurance-Linked Securities (ILS) market.