Cyber Incident Room: Supply chain breach touching a global bank

Peter Kovacs leads information security, privacy governance, and AI risk management at Nudge – a SaaS financial education platform embedded inside the employee benefits stacks of some of the world’s largest organisations.

In this episode, Peter challenges the assumption that strong security means saying no. We discuss the value in unifying information security and data privacy as a single function, and explore why the gap between how organisations say they manage risk and how they actually do often only becomes visible when something goes wrong.

We run Peter through the Cyber Incident Room, a supply chain breach touching a global bank, a client mid-renewal, and data belonging to employees who never chose to be there. The conversation gets into the trust responsibility that comes with that position, how to translate threat into boardroom language and what tightening data privacy regulations mean for the decisions security leaders make under pressure.

We’ll be discussing frameworks for identifying concentration exposures in your portfolio, 3 realistic catastrophe scenarios with estimated impact ranges, and shared methodology for stress testing that both primary and reinsurer teams can use in renewals discussions.

What We’ll Tackle:
1. Cloud Infrastructure Aggregation
– Identifying hidden concentrations across AWS/Azure/GCP
– Business interruption triggers from single cloud provider failure

2. Software Supply Chain Dependencies
– Modeling downstream impact of critical vendor compromise
– CrowdStrike-style scenarios – operational failure vs. malicious attack

3. Correlation vs. Independence Assumptions
– Where current models underestimate simultaneous claims
– Geographic/sector diversification – does it actually reduce systemic risk?

4. Realistic Loss Scenarios & Stress Testing
– Building credible catastrophe scenarios with limited historical data
– PML estimates reinsurers will accept vs. what actuaries can defend

Why Now?
Reinsurers are increasingly challenging primary insurers’ accumulation assumptions, while regulators demand stress testing that current models can’t support. With limited historical data for systemic cyber events, both sides need new approaches to quantify concentration risk.

Attendees:
– Head of Cyber Cat Modeling/Portfolio Management
– Chief Actuary / CRO
– Reinsurance Brokers
– Reinsurer Underwriters & Cat Modelers

Participants

Guest

Peter J. Kovacs

Peter J. Kovacs

Head of Information Security @ nudge