Cyber aggregation risk is no longer a theoretical concern for insurers. It is a growing, systemic exposure testing the limits of underwriting discipline. What once sat in the background has moved firmly into focus, as digital interdependence exposes portfolios to increasingly complex and correlated losses.
For Adelle Gruber (pictured), class underwriter at Brit Insurance, that shift has been gradual but unmistakable. “Cyber aggregation has always been something that has been, theoretically, in the back of people's minds,” she said, describing a risk the market long understood but did not fully confront. The turning point came with the move from on-premises infrastructure to cloud-based systems, reshaping both resilience and exposure.
The shift to cloud improved baseline risk quality, removing the need for businesses to maintain costly, quickly outdated infrastructure.
“It was great for companies, cheaper for them to remain up to date with their security postures,” Gruber said. “They didn't have to go and rebuild and spend lots of money on IT infrastructure.”
But that same shift introduced dependency. “There are only so many cloud infrastructure providers that actually exist,” she said, highlighting how concentration risk has become embedded in modern digital ecosystems.
For years, the industry focused on extreme but hypothetical scenarios, particularly a global outage at a major provider. Recent losses suggest the more immediate threat may be less visible. The CDK incident, which disrupted automotive dealers across the US, stemmed from a relatively obscure but widely used software provider.
“The biggest systemic loss, for want of a better phrase, was CDK,” Gruber said. “A very small, no-one had really ever heard of it software-as-a-service provider.”
Events like this highlight how aggregation can build quietly within sectors, driven by shared dependencies that are not always obvious at underwriting. The challenge is not just identifying risk, but understanding where it is concentrated across portfolios.
Views on cyber aggregation remain uneven across the market. “If you ask several different underwriters how they feel about their view of accumulation, I think you'd get several different responses,” Gruber said, reflecting the lack of a consistent industry view.
Even with improved tools, visibility is still limited. “There are some tools out there, but there's only so far that you can genuinely go into modelling that aggregation,” she said. “There is a lot of science behind it, but there's still an element of art.”
The difficulty is compounded by how easily cyber events spread across lines of business. “I think the short answer is: very easily,” Gruber said, noting that a single incident can trigger multiple policies, from cyber and technology E&O to professional liability and beyond.
Attention is also shifting deeper into the supply chain, where dependencies are less visible but potentially just as concentrated. “I think potentially looking not necessarily at the tier-one providers, but the tier-two and tier-three suppliers is where we could get better,” she said.
This is particularly relevant for insurers without dedicated cyber portfolios, where aggregation risk may sit within other lines without the same level of scrutiny. As digital dependencies deepen, those exposures are becoming harder to isolate.
Artificial intelligence adds another layer, though not a fundamentally new one. “I would say it's a different flavour of an exposure that's existed within companies for pretty much as long as IT has existed,” Gruber said, framing it as an evolution rather than a new category of risk. The challenge lies in how it is used. “AI and IT systems do not remove the need for a human to actually check it, fact-check it, and do their job.”
While insurers refine their understanding of aggregation, many SMEs still underestimate their exposure. “No one really cares about us, is often the sentiment,” Gruber said.
In reality, attacks are often opportunistic rather than targeted. “For SMEs, it's the drive-bys, for want of a better phrase,” she said, describing how attackers distribute phishing attempts at scale. Those with weaker controls are more likely to be hit, and the consequences can be severe.
“This is not going to be a five-minute recovery that costs a couple of hundred pounds,” she said. “It's something that's potentially going to be very meaningful and potentially an existential issue for an SME business.”
As reliance on shared infrastructure, software ecosystems and emerging technologies deepens, cyber aggregation is becoming harder to isolate and easier to underestimate. For insurers, the task is no longer just to recognise the risk, but to understand where it is building next.
