In a recent study, cybersecurity specialists assessed both the likelihood of large-scale malware incidents and the severe consequences of major cloud outages as tangible scenarios. They also weighed the effectiveness of various mitigation strategies. 

Conducted in partnership with CyberCube, the survey was led by Munich Re and involved 93 cybersecurity professionals. Results were released on July 15. This is the third edition of the survey, with the next planned for 2026. 

The study aims to help the market better understand cyber risk—particularly the strategies used to mitigate systemic cyber events. 

“A fundamental challenge in cyber risk modeling is the deficiency of concrete tail-risk events, such as systemic malware or multi-region cloud outages. This survey represents the best attempt to date to parameterize plausible worst-case scenarios and establish expert consensus,” the authors stated. 

Widespread malware 

The report focuses on three main themes, the first being the widespread distribution of malware capable of paralyzing systems across multiple countries. 

Infamous viruses such as WannaCry and NotPetya, both released in 2017, affected fewer than 0.5 per cent of systems globally at their peak, according to the highest estimates provided by specialists. Similar events, however, remain foreseeable, the report notes. 

A virus infecting 10 per cent of systems would be unexpected, and a 25 per cent infection rate would be considered “shocking.” Experts also pointed out that even a full-scale failure affecting 5 per cent of systems would be a surprising but possible scenario. 

The speed of malware propagation was another key metric assessed. A global infection rate of 5 per cent within a week would be expected, while achieving that rate in three days would be unexpected, but still plausible. A worst-case scenario would see this level of infection reached in 12 hours—still within the realm of possibility, according to respondents. 

“Regarding initial access and spread, the most plausible factors contributing to widespread malware events were identified as software vulnerabilities, software supply chain updates, and operating system vulnerabilities,” the authors noted. 

To counteract malware spread, experts recommended patch management, network segmentation, and backup restoration as the most effective mitigation strategies. Patch management and network segmentation were seen as key to reducing the likelihood of attacks, while backups and segmentation helped reduce impact. 

Companies that maintain strong cyber hygiene by applying all three strategies could reduce both the probability and impact of an infection by between 50 and 80 per cent, according to survey participants. 

“Interestingly, no expert believed that adopting all of these mitigation methods could completely 100 per cent protect an organization, highlighting that there always remains a perceived degree of risk. These insights are particularly valuable given the shortage of prior catastrophic events available to learn from,” the authors wrote. 

Cloud outages 

The second theme in the survey was the risk of major outages involving cloud service providers (CSPs). A growing share of business processes now depends on cloud platforms, particularly in sectors like IT, telecommunications, financial services, healthcare, and retail. 

Risk analysis becomes increasingly complex when internal systems are closely intertwined with services from major CSPs such as Microsoft Azure, Amazon Web Services (AWS), or Google Cloud. Dependency levels vary, but businesses with revenues between $10 million and $100 million were seen as particularly reliant. 

Some larger or more technically mature companies diversify by using multiple CSPs. However, experts agree it is highly unlikely that an organization could quickly transfer its systems from one provider to another in the event of a major outage. 

Respondents also assessed the duration and scope of potential outages. “Respondents reported that a single-day outage of their most critical CSP would likely result in a financial losses equivalent to 1 per cent of yearly revenue,” the report states. 

If an outage lasted up to five days, more than half of respondents believed losses would increase by a factor of seven or more. 

More than half of businesses configure their cloud environments internally, the report adds. “The survey indicated that internal configuration resulted in a nearly 2X greater risk of misconfiguration, compared to setups handled by external experts. This highlights a major operational vulnerability that standard risk assessments may not fully account for.” 

Emerging and systemic threats 

Participants also weighed in on emerging and systemic risks related to cybersecurity, including the role of large language models (LLMs), connected devices, and generative artificial intelligence. 

LLMs have shown to be productivity enhancers across industries, allowing users to quickly learn and implement cybersecurity methodology on both the defense and attack side,” the authors noted. 

For instance, LLMs can be used to launch large-scale, sophisticated spear phishing operations that were once labour-intensive. “Conversely, LLMs also allow practitioners to analyze the sentiment, origin, and prior communication of messages to better detect phishing attempts,” they added.