The November 16, 2021, collapse of Google Cloud did more than disrupt Gmail access for millions—it triggered a chain reaction across global supply chains. Spotify went silent, Facebook services crashed, and revenue vanished for small businesses dependent on cloud platforms. This disruption stemmed not from a cyberattack, but from an unintended network configuration error. Its impact, however, was systemic and widespread, underscoring how vulnerable digitally connected enterprises are to cascading failures.
This is systemic cyber-risk—one of the most underappreciated threats in business today. Research from the Massachusetts Institute of Technology (MIT) and the University of Southern California (USC), presented in “A Theory to Estimate, Bound, and Manage Systemic Cyber-Risk” at the ACM SIGSIM PADS 2025 Conference, reveals that exposure and interdependence across enterprises are far greater than most executives imagine.
Cyber insurance traditionally assumes risk can be isolated: one enterprise is attacked, pays a deductible, and the insurer covers the loss. But this model collapses in a world where every company is part of an interconnected digital ecosystem.
The 2017 NotPetya malware attack is a stark example. Originating from compromised tax software, it spread rapidly and affected companies such as Maersk, FedEx, and Mondelez—despite their lack of direct connection to the initial vulnerability. Losses ran into hundreds of millions, most borne directly by companies rather than insurers.
Similarly, the 2021 ransomware attack on Colonial Pipeline shut down energy supplies across the eastern United States, crippling thousands of dependent businesses. Traditional risk models simply do not reflect the reality of digital supply-chain interdependence.
Actuaries face a major hurdle: systemic cyber-risk cannot be priced reliably. Traditional models rely on historical data and predictable patterns, but systemic events involve heavy‑tail risk distributions—rare but catastrophic events that exceed standard statistical models.
The MIT-USC research group developed the first comprehensive statistical theory for total cyber risk across enterprise networks. Their model accounts for interdependent risks, non-standard distributions, and the role of supply-chain network topology in determining aggregated exposure.
Reinsurers often assume they can mitigate systemic cyber risk the way they diversify traditional property and casualty risk—by spreading exposures across geographies and industries. But this assumption fails when risks are interconnected.
Pal et al. created a classification system, using decision theory and majorization theory, to assess whether cyber‑risk portfolios can be diversified. Their findings: diversification works only for risk exposures with light to moderate tails and finite means. For very heavy‑tail risks—the 1‑in‑500 or 1‑in‑1000‑year events—adding more policies can actually increase expected losses. This counterintuitive outcome is known as the Value‑at‑Risk paradox.
Three implications stand out for digitally connected businesses:
Every vendor, customer, cloud provider, and logistics partner affects your cyber-risk. A breach anywhere becomes your problem immediately.
When an entire supply chain falters, insurers face exponential claim growth. Re-insurers may withdraw or drastically increase premiums, as seen in the market’s slow growth despite rising threats.
The Pal et al. model is the first attempt to capture general cyber‑risk distributions and network structures. The insurance industry remains unprepared for the types of failures the research describes.
The Pal et al. model offers a starting point for sustainable portfolio diversification and better risk quantification. But transitioning from legacy models to network‑based, heavy‑tail approaches will take time.
The insurance industry must:
Systemic digital risk is now the norm: interconnected, heavy‑tailed, and difficult to manage. Mathematics is beginning to catch up, but the real question is whether business leaders and insurers will adapt quickly enough.
First Published: Feb 19, 2026, 11:36
Subscribe Now