Guy Carpenter与Guidewire Cyence联合发布网络论文

A collaboration between Guidewire Cyence and Guy Carpenter The cyber landscape has been rapidly changing throughout 2025. US federal deregulation and defunding of key cyber agencies, nation-statecyber activity and ongoing foreign wars: these developing conditions create new uncertainty, and present new opportunities for cyber attackers tocapitalize on the uncertainty. For example, recent reductions in US federal oversight over securitystandards for large cloud providers presents the opportunity for suchproviders to decrease resource allocation toward security protocolsor vulnerability remediation, both previously standard practices inthe industry. (GC) are releasing a newly constructed, fully unique and up-to-dateUS Cyber Industry Exposure Database and Loss Curve (IED). The IED satisfies a number of use cases, including market exposuremeasurement, aggregation benchmarking, data supplement andsupport, and various risk transfer vehicle calculations. Cyence and GCplan to maintain this collaboration with regular updates, new versionreleases and additional functionality for the IED product beyond2025, including the expansion from US to a global view. This paperwill explore Cyence and GC opinions on market conditions, showcaseIED statistical outputs, and provide a step-by-step walkthrough ofour IED build logic. Nevertheless, large cloud providers may also benefit from any newlyfreed resource, potentially accelerating R&D velocity with fewerregulatory obligations. It is entirely possible that this improvedvelocity on network security innovation would outweigh the vastreduction of federally established protocols. However, the ultimateimpact of these procedural adjustments cannot easily be measured:in all likelihood, deregulation impacts on security will overtakeefficiency benefits, at least in the short term. Therefore, it can beconsidered that the general 2025 cyber industry landscape is at ahigher risk level than in 2024. We abide by the principle of full transparency: a single numericalcurve without insight into its construction should not be sufficientjustification to trust a model. Thus, our goal with this paper is toencourage deeper discussions not only on the technical findings,but also any potential areas for improvement in future iterations,to garner trust and comfort in our collaborative solution. We lookforward to this discussion. In response to this tumultuous moment in time, financial andinsurance markets require a fresh estimate of industry cyberexposure. In this spirit, Guidewire Cyence (Cyence) and Guy Carpenter Table of Contents The opening sections of this paper capture the main findings of the IED project and the general cyber landscape opinionsshared across GC and Cyence. Readers who wish to examine IED build details can refer to the sections under “IED MethodologyDetail.” Finally, we provide a preview of future IED iterations for successive Cyence model versions. Executive Summary and IED Results Methodology Detail Executive Summary and IED Results As expounded upon later in the “Define IED Form and Scope”section, an Industry Loss Curve is fundamentally an ascending curveof possible extreme cyber loss scenarios, each assigned a uniquelikelihood. In this case, the Cyence and GC loss curve results includesets of both the largest event per simulation years (“Occurrence Exceedance Probabilities” or “OEP”), and total annual loss years(“Aggregate Exceedance Probabilities” or “AEP”). Other cyber riskmetrics are also included in the analysis, but some high-levelbenchmark statistics from our analysis can be summarizedas follows: OEP and AEP VaR (Value at Risk) curves OEP and AEPsimulated years areindividually orderedin the line chart (top). Across 10,000simulation years, thelargest 200 loss yearsrepresent the1-in-50 return periodand beyond. Feasibility of a 1-in-100 174% US Gross Loss Ratio Result The return period table above represents modeled losses derivedfrom the Cyence Model 7.1 US IED industry loss curve. At the1-in-100 return period level, it suggests a 174% US-industry wideaggregate loss ratio. This particular simulation year is composed of69 loss ratio points of attritional (non-cat) accumulated loss, with theremaining 105 points stemming from a single cat event of $9.9B. This69% attritional loss ratio is higher than Cyence modeled expectationfor the upcoming policy year of 42% (refer to note in ExecutiveSummary, page 3). However, this 1 in 100 tail return period result isintended to reflect a worse than average policy year; one that is stillwell within reasonable possibility, especially considering the highcyber industry loss ratio experience in 2019 and 2020. •Despite being the most economically damaging cyber event inhistory, NotPetya impacted only 2,300 businesses worldwide,primarily focused on Ukrainian businesses, given the initialbackdoor for entry was a regionally used tax-managementsoftware mostly unique to Ukraine (M.E. Doc). Additionally, onlya single EternalBlue