Major cyber events over the last 23 years do not appear to have had significant impacts on stock market returns, which should be welcome news to potential insurance-linked securities (ILS) investors and could potentially expand sources of capital for the cyber market, according to a new report from Guy Carpenter and Marsh McLennan’s Cyber Risk Intelligence Center.
In a report titled, “Double Whammy? Examining the Correlation Between Major Cyber Events, Guy Carpenter and Marsh McLennan’s Cyber Risk Intelligence Center sought to detect any links between 14 major events and stock market downturns. A key sticking point for ILS investors, per the report, has been the potential for a systemic cyber event to not only impact their deployed capital but also result in stock market drops that could negatively impact their investment portfolios – the aforementioned “double whammy.”
Researchers examined the 30-day performance of the S&P 500 after the SolarWinds event, NotPetya, the cyberattack on Colonial Pipeline, the 2016 distributed-denial-of-service (DDoS) attack on Dyn, and 10 other mass breaches, service outages, or software vulnerabilities deemed “large and impactful” since 2000.
“None of the events had a significant impact on distribution of market returns, with all falling “within the random noise in the market,’” said the authors of the report, adding, “The lack of a broad market effect does not mean these events were not impactful. Quite the contrary—they were deeply impactful to the victims involved, as well as, in some cases, to large parts of the economy.”
To reach the level of the sort of catastrophe that triggers a stock slump, the researchers suggested, a cyber event would likely need to have broader societal or financial effects.
“An albeit- large one-time cost to a company, or even many companies, as we saw with NotPetya, may still not materially impact their operations and future revenue streams enough to create a market sell-off,” the authors of the report said. “Large business interruptions from outages may similarly incur huge losses, but they do not meaningfully change the course of business for the impacted entities.”
Researchers also compared cyber events to other events with known market impacts, including COVID-19 pandemic’s early impact on the stock market, the Sept. 11 terrorism attacks, Russia’s invasion of Ukraine, and the Lehman Brothers’ bankruptcy. They also examined five of the largest hurricanes of the last two decades and found stock market impacts similar to those of cyber events. However, researchers hastened to add, “This is not to say that cyber events and hurricanes are equivalent—they are not.”
“Unlike natural catastrophe risks, the probability and impact of cyber-related risks can be mitigated with human intervention and AI-based cyber management tools, such as identifying and patching exploitable vulnerabilities in a timely manner,” said Jess Fung, Guy Carpenter’s North American cyber analytics lead, in a statement.
Zain Awan, international cyber ILS lead for Guy Carpenter, added, “With appropriate risk transfer structure mechanics, agreement across all parties around what scenarios/events are subject or covered under a cyber catastrophe transaction, along with robust risk modeling to reflect this, cedents and investors will be in a stronger, more confident position to engage and trade cyber risk exposures.”
Managing Editor Erin Ayers can be reached at erin.ayers@zywave.com
