PCS designates Change Healthcare & MOVEit as cyber catastrophe loss events
Property Claim Services (PCS), the provider of industry loss estimates and loss data globally and a unit of Verisk, has designated two cyber attacks as PCS Cyber Catastrophe Loss Events, meaning they are each expected to result in more than US $250 million of industry insured losses, Artemis has learned.
Under its PCS Global Cyber product, the company monitors global cyber attacks and potential cyber insurance market loss events, reporting on them when they surpass $25 million in losses and then designating them as cyber catastrophes when their losses are understood to have surpassed $250 million.
The service provides industry loss estimates for risk losses caused by cyber, through affirmative cover in a standalone cyber program or as part of a blended program that explicitly includes cyber, as well as for nonaffirmative or so-called silent cyber losses (such as to property lines or D&O).
In order for an event to become a cyber catastrophe, it must also affect multiple insureds and multiple insurers, while PCS will report both the affirmative and nonaffirmative loss totals individually, as well as the insurance market-wide loss figure.
Now, PCS has designated both the MOVEit cyber attack and the Change Healthcare cyber attack as PCS Cyber Catastrophe Loss Events, so activating its loss aggregation and estimation procedures for a cyber cat insurance market loss.
It’s notable that these are the first two cyber catastrophe events to be designated by PCS since the 144A catastrophe bond market saw its first four cyber cat bond issuances.
Both of these cyber attacks are what is known as malware incidents, so categorised as cyber extortion attempts, when hackers are seeking to induce payments from the affected organisations.
But they can also involve data breach or loss and the knock-on effects and ramifications can cause ripples not just across the affected company, but a wider industry or market segment as well.
The first to be designated a PCS Cyber Catastrophe Loss is the MOVEit cyber attack that occurred in May 2023.
It occurred when hackers exploited a vulnerability in the MOVEit Transfer software product, owned by Progress Software, and used it to steal files from affected organisations. The attack is thought to have been undertaken by Cl0p, a Russian-affiliated cyber gang, which told victims of the hack that that they should negotiate a ransom payment, or face having their private data leaked onto the internet.
At the time it was first said that UK companies were the worst affected, with major names including British Airways, Boots the BBC, EY, Transport for London all cited as being affected.
But now, cyber security company Emsisoft data suggests more than 2,700 organisations were impacted by the MOVEit breach by April 2024 and that the majority of those organisations were US-based, with over 90 million individuals affected, making this a truly global cyber event.
Given the reach and severity of the incident, it’s no surprise that insurance market losses have been mounting, sufficiently for PCS to designate this a cyber cat, suggesting the insurance and reinsurance industry-loss from it will be above $250 million.
The second event is the more recent Change Healthcare cyber attack breach, that occurred in February 2024 and severely impacted the unit of insurance giant UnitedHealth Group’s Optum division, resulting in an inability to make payouts to doctors and other health practitioners or institutions.
US wide, pharmacies reported disruptions to their ability to process insurance claims payments, while patients had to pay for services and medications out of pocket in many cases.
While there was a ransom payment (said to be $22m) that could be claimed for UnitedHealth itself, it is the wider ramifications across the healthcare industry in the United States that could drive the higher loss quantum here, with suggestions that extra expense claims and business interruption (due to cash flow disruption) are also being made, some likely nonaffirmative in nature (so not from policies explicitly covering cyber risks).
The ransomware group behind the Change Healthcare cyber attack self-identified as ALPHV/Blackcat and it is a well-known cyber criminal group from Russia, with a particular focus on ransomware.
Still, some of the Change Healthcare systems are interrupted after this cyber attack and the issues continue to affect payments across its network of providers and healthcare professionals.
At the same time, UnitedHealth reported that it was reaching out to customers concerned about potential data loss due to the cyber attack.
The ransomware attack was claimed to have resulted in collection of a massive trove of data by the hackers and media reports have said lawsuits against Change Healthcare have been piling up.
Meanwhile, United Health has been advancing billions of dollars to help payments continue to flow through its network of services and providers and earlier this month reported $872 million in “unfavorable cyberattack effects” in its first-quarter earnings.
United Health said that it anticipates between $1 billion and $1.15 billion in direct costs in 2024 because of the cyber attack and forecasts a further $350 million to $450 million as a result of business disruption, including lost revenue.
Once again, given the scope of the Change Healthcare ransomware impacts and how widely they have reached, as well as the costs of the cyber attack, it’s perhaps no surprise to learn the cyber insurance industry loss is expected to be above $250 million, leading to the event being designated as a PCS Cyber Catastrophe Loss.
Now, with these two cyber attacks designated as insurance catastrophes, PCS will continue to monitor them, survey the cyber and broader insurance industry and report on the quantum of industry losses related to each.
As we said, this is perhaps particularly notable for Artemis readers in 2024, as these are the first cyber catastrophe loss events to be designated since the recent issuance of the first 144A cyber catastrophe bonds.
All four of the cyber catastrophe bonds issued to-date will certainly have at least some exposure to the development of losses from these two cyber attacks.
However, at this stage it seems these cyber catastrophe events will not aggregate to anything near the level of losses that might be required to trigger a cyber cat bond, given these first deals tend to cover relatively high layers of reinsurance and retrocession.