Lloyd’s of London has warned that a serious cyberattack could cost the global economy more than $120 billion – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.
The report from Lloyd's said the threat posed by such global attacks has spiraled and poses a huge risk to business and governments over the next decade.
The most likely scenario is a malicious hack that takes down a cloud service provider with estimated losses of $53 billion, according to Lloyd’s. This is the average estimate, but because of the uncertainty around calculating cyber losses it estimates the figure could be as high as $121 billion or as low as $15 billion.
At the upper end, the cost would outstrip the damage wreaked by Hurricane Katrina in 2005, estimated at $108 billion (including $80 billion of insured losses). Hurricane Sandy in 2012 is estimated to have caused economic losses of $50 billion-$70 billion.
The report concludes that cyber losses have grown in severity to the point of rivaling major hurricanes in their total potential damages. In each scenario modeled, total losses reached into the tens of billions for extreme return periods.
- Bad actors cause cloud service outages: In the first scenario, a group of "hacktivists" set out to disrupt cloud service providers' infrastructure to draw attention to the environmental impacts of cloud-based businesses. The group inserts a malicious modification to an infrastructure's code that can be exploited to trigger system-wide failures, leading to widespread service and business interruption. Across all industries, Cyence's extreme loss simulations are estimated at $53 billion in just 2-3 days.
- Human error causes zero-day to fall into the wrong hands: In the second scenario, a hard copy of a zero-day vulnerability report affecting all versions of an operating system used by 45 percent of the global market makes its way into the hands of a malicious actor by human error. This report is purchased on the dark web by criminal parties who develop system exploits and attack vulnerable businesses for financial gain. Cyence calculated that a cyber scenario of this scale could cause estimated losses totaling $28.7 billion.
Today, Lloyd's estimates the global cyber market is worth between $3 - $3.5 billion (Stanley, 2017). The report was designed to deepen insurers' and risk managers' understanding of cyber risk exposure to improve portfolio exposure management, set appropriate limits and expand confidently into this quickly-growing line of insurance. Furthermore, these scenarios will be critical in moving the industry as a whole toward a standardized approach of measuring cyber risk in the wake of the growing number of high-profile cyber events.
"This report's findings suggest economic losses from cyber events have the potential to be as large as those caused by major hurricanes. Insurers could benefit from thinking about cyber cover in these terms and making explicit allowances for aggregated cyber-related catastrophes. To achieve this, data collection and quality is important, especially as cyber risks are constantly changing," said Trevor Maynard, head of innovation at Lloyd's.
"To date, no computer has been created that could not be hacked—a sobering fact given our radical dependence on these machines for everything from our nation's power grid to air traffic control to financial services. Economic losses are growing exponentially and all companies need a strategy to mitigate cyber risk in today's world," said Marc Goodman, advisor to Cyence and global cyber risk strategist.
