Extreme cyber-attack could cost as much as Superstorm Sandy
A major global cyber-attack has the potential to trigger $53 billion of economic losses, roughly the equivalent to a catastrophic natural disaster like 2012’s Superstorm Sandy, according to a scenario described in new research by Lloyd’s, the world’s specialist insurance market, and Cyence, a leading cyber risk analytics modelling firm.
The report, “Counting the cost: Cyber exposure decoded”, reveals the potential economic impact of two scenarios: a malicious hack that takes down a cloud service provider with estimated losses of $53 billion, and attacks on computer operating systems run by a large number of businesses around the world which could cause losses of $28.7 billion. By comparison, Superstorm Sandy, the second costliest tropical cyclone on record, is generally considered to have caused economic losses between $50 billion and $70 billion.
The findings also reveal that, while demand for cyber insurance is increasing, the majority of these losses are not currently insured, leaving an insurance gap of tens of billions of dollars.
This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.Inga Beale, CEO of Lloyd’s
We have provided these scenarios to help insurers gain a better understanding of their cyber risk exposures so they can improve their portfolio exposure management and risk pricing, set appropriate limits and expand into this fast-growing, innovative insurance class with confidence.
For the cloud service disruption scenario in the report, average economic losses range from US$4.6 billion from a large event to $53 billion for an extreme event. This is the average in the scenario, because of the uncertainty around aggregating cyber losses this figure could be as high as $121 billion or as low as $15 billion. Meanwhile, average insured losses range from US$620 million for a large loss to US$8.1 billion for an extreme loss.
In the mass software vulnerability scenario, the average losses range from US$9.7 billion for a large event to US$28.7 billion for an extreme event. And the average insured losses range from US$762 million to US$2.1 billion.
The uninsured gap could be as much as $45 billion for the cloud services scenario – meaning that less than a fifth (17%) of the economic losses are actually covered by insurance. The insurance gap could be as high as $26 billion for the mass vulnerability scenario – meaning that just 7% of economic losses are covered.
Lloyd’s worked with Cyence to collect data at internet scale to model cyber risk and evaluate the financial, economic and insurance impact of these scenarios.
Cyence is excited to be working with Lloyds on empowering the insurance industry to understand and model cyber risk. Leveraging Cyence’s unique cyber risk platform, we’re excited to see insurers providing more capacity, bringing innovative products to market with greater confidence and creating a more robust and sustainable insurance market.Arvind Parthasarathi, CEO of Cyence
The economic and insurance consequences of cybercrime are increasing. In 2016, cyber-attacks were estimated to cost businesses as much as $450 billion a year (Graham, 2017).
Today, Lloyd’s Class of Business team estimates that the global cyber market is worth between $3bn and $3.5bn (Stanley, 2017); by 2020, some analysts estimate it could be worth $7.5bn (PwC, 2015).
The report described two scenarios:
- Scenario 1: Cloud service provider hack. A sophisticated group of “hacktivists” sets out to disrupt cloud-service providers and their customers to draw attention to the environmental impacts of business and the modern economy. The group makes a malicious modification to a “hypervisor” that controls the cloud infrastructure. This causes many cloud-based customer servers to fail, leading to widespread service and business interruption.
- Scenario 2: Mass vulnerability attack. A cyber analyst accidentally leaves his bag on a train that contains a hard copy of a report on a vulnerability that affects all versions of an operating system run by 45% of the global market. This report is traded on the dark web and is purchased by an undetermined number of unidentified criminal parties who develop system exploits and begin attacking vulnerable businesses for financial gain.
These figures represent the mean values of simulated loss year severities for large and extreme loss events, and take into account all expected direct expenses related to the events. Impacts such as property damage, bodily injury, as well as indirect losses such as the loss of customers and reputational damage are not taken into account.
Economic losses could be much lower or higher than the average in the scenarios because of the uncertainty around cyber aggregation. For example, while average losses in the cloud service disruption scenario are $53 billion for an extreme event, they could be as high as US$121 billion or as low as US$15 billion, depending on factors such as the different organisations involved and how long the cloud service disruption lasts for.
The challenge with modelling cyber risk and accumulation is the lack of data from authoritative information sources. Claims and incident data from past years is not often germane due to the changing and volatile nature of the risk. And unlike physical perils, Cyber has accumulation paths with increasing use of internet networks and technology.
With expertise earned over centuries, Lloyd’s is the foundation of the insurance industry and the future of it. Led by expert underwriters and brokers who cover more than 200 territories, the Lloyd’s market develops the essential, complex and critical insurance needed to underwrite human progress. Backed by diverse global capital and excellent financial ratings, Lloyd’s works with a global network to grow the insured world – building resilience for businesses and local communities and strengthening economic growth around the world.
Cyence empowers the insurance industry to understand the impact of cyber risk in the context of dollars and probabilities. Cyence’s unique approach combines economic/risk modeling, cybersecurity and big data analytics to create an economic cyber risk modeling platform. Cyence Platform and analytics are leveraged by leaders across the insurance industry to help understand and manage cyber risk as well as to roll out new transformative insurance products.
Graham, L. 2017. Cybercrime costs the global economy $450 billion [online]. CNBC Cyber Security. Available at: http://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html
PwC. 2015. Insurance 2020 & beyond: Reaping the dividends of cyber resilience [online]. Available at: http://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf
Stanley, C. 2017. Cyber market estimate (Interview 26 June, Christian Stanley, Casualty Executive, Class of Business Underwriting Performance, Lloyd’s).