A major global cyberattack could potentially trigger $53bn of economic losses, or the equivalent of a catastrophic natural disaster like 2012’s Superstorm Sandy, according to research by Lloyd’s.
The London-based specialist insurance market outlines the scenario in a joint study with cyber risk analytics modelling firm Cyence.
Their report, entitled ‘Counting the cost: Cyber exposure decoded’, reveals the potential economic impact of two scenarios:
– a malicious hack that takes down a cloud service provider with estimated losses of $53bn
– attacks on computer operating systems run by many businesses around the world which could cause losses of $28.7bn.
By comparison, Superstorm Sandy in October 2012, the second costliest tropical cyclone on record, is generally considered to have caused economic losses of between $50bn and $70bn.
The report describes two scenarios:
• Scenario 1: Cloud service provider hack.
A sophisticated group of “hacktivists” sets out to disrupt cloud-service providers and their customers to draw attention to the environmental impacts of business and the modern economy. The group makes a malicious modification to a “hypervisor” that controls the cloud infrastructure. This causes many cloud-based customer servers to fail, leading to widespread service and business interruption.
• Scenario 2: Mass vulnerability attack.
A cyber analyst accidentally leaves his bag on a train that contains a hard copy of a report on a vulnerability that affects all versions of an operating system run by 45% of the global market. This report is traded on the dark web and is purchased by an undetermined number of unidentified criminal parties who develop system exploits and begin attacking vulnerable businesses for financial gain.
The report notes that, while demand for cyber insurance is increasing, the majority of these losses are not currently insured, leaving an insurance gap of tens of billions of dollars.
“This report gives a real sense of the scale of damage a cyberattack could cause the global economy,” said Inga Beale, chief executive officer (CEO) of Lloyd’s. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs.
“Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.
“We have provided these scenarios to help insurers gain a better understanding of their cyber risk exposures so they can improve their portfolio exposure management and risk pricing, set appropriate limits and expand into this fast-growing, innovative insurance class with confidence.”
For the cloud service disruption scenario in the report, average economic losses range from US$4.6bn from a large event to $53bn for an extreme event. This is the average in the scenario, due to uncertainty around aggregating cyber losses this figure could be as high as $121bn or as low as $15bn. Meanwhile, average insured losses range from $620m for a large loss to $8.1bn for an extreme loss.
In the mass software vulnerability scenario, the average losses range from $9.7bn for a large event to $28.7bn for an extreme event, while the average insured losses range from $762m to $2.1bn.
The uninsured gap could be as much as $45bn for the cloud services scenario – meaning that no more than 17% of the economic losses are actually covered by insurance. The insurance gap could be as high as $26bn for the mass vulnerability scenario – meaning that just 7% of economic losses are covered.
Lloyd’s worked with Cyence to collect data at internet scale to model cyber risk and evaluate the financial, economic and insurance impact of these scenarios. It notes that the economic and insurance consequences of cybercrime are increasing: in 2016, cyberattacks were estimated to cost businesses as much as $450bn a year.
Lloyd’s estimates that the global cyber market is currently worth between $3bn and $3.5bn; a 2015 study by PricewaterhouseCoopers estimated that the figure could rise to $7.5bn by the end of the decade.