Illuminating cyber crime
How vulnerable is the economy to a major cyber-attack?
Your phone, your laptop, your bank account… businesses, governments, financial services… a global ‘cyber catastrophe’ could have far-reaching consequences and cause chaos around the world.
Cyber attacks pose a considerable threat to businesses. Year on year, costs around maintenance, prevention, and response to attacks are increasing. And with examples scattered across major news outlets, like the recent June 2023 Zellis payroll[1] attack, which affected a number of large British businesses, the world is waking up to the reality of what could be at stake if a global cyber attack were to play out.
As the world’s leading marketplace for commercial, corporate and specialty risk insurance and reinsurance, Lloyd’s is committed to building resilience against major cyber risk. Our systemic cyber scenario has been developed to help risk owners better understand the potential exposures at play and the role of insurance to protect against the evolving cyber risk landscape.
[1] https://www.theguardian.com/technology/2023/jun/07/ba-boots-bbc-cyber-attack-moveit-who-is-behind-it-and-what-happens-next
- Lloyd’s has hosted a series of events, including our first ever Cyber Risk Summit, an interactive Cyber Attack Simulation and a Cyber Innovation Forum run by Lloyd’s Futureset, bringing together senior business leaders, policy makers, law enforcement, technology firms and cyber risk specialists to discuss creative solutions for this emerging and interconnected threat
- Cyber insurance solutions such as Beazley’s can provide both information security services to help businesses reduce their vulnerabilities and assistance to help resolve any breach that occurs, alongside risk transfer
- BOXX Insurance, a Lloyd’s Lab alumni, provides cyber threat prediction, prevention and insurance coverage for small businesses and homes by connecting insurance, big data and technology
- Lloyd’s Lab alumni Parametrix protects companies against business interruption loss due to external service downtime such as cloud outages, network crashes and platform failures with simple and transparent coverage
Picture the scene: A cyber attack infiltrates major payment systems
Even a ‘run of the mill’ cyber attack has the potential to paralyse systems and stop the best-protected organisations in their tracks. The following scenario explores a hypothetical unprecedented cyber attack on major payment systems - revealing how quickly the effects could cascade across all sectors of the economy.
The attack consists of a number of simultaneous, highly sophisticated and persistent attacks against multiple financial services organisations. The impacts deal a significant blow to confidence in financial institutions and in transactional relationships that underpin trade and international security.
Invade
Attackers plant malicious code in critical pieces of software used by the financial services industry to confirm transactions and verify payments during routine software updates. The update is sent to tens of thousands of partner and customer networks, infiltrating them at the same time
Timeframe: Seconds
Paralyse
The attack creates a back door allowing hackers to initiate a major breach, meaning that customers cannot pay for goods and services; banks can’t clear payments; and inter-bank lending grinds to a halt
Timeframe: Days/weeks
Profit
By scrambling the data now in their possession, hackers can divert funds to a network of accounts under their control. Lying undiscovered for months, it takes yet more time to repair the damage and discover further breaches
Timeframe: Weeks/months
Distract
The attack is both expensive and limiting for the institutions involved, response teams get caught up in a game of cyber cat and mouse – distracting from their critical work and supporting customers
Timeframe: Months
Impact
Beyond the immediate costs, confidence in financial institutions is shaken; trade and customer relationships suffer; regulations tighten to prevent future breaches and long-term business costs increase to build system resilience
Timeframe: Years
The severity of events and measure of impact
Our scenario explores three potential levels of severity, listed in the table below. Whilst these have been inspired by historical references, all three severity levels represent highly sophisticated and novel attacks which have never been seen.
While any cyber attack has the potential to be a major incident, a targeted attack will typically impact a business in one of three ways:
- to breach data (confidentiality)
- to compromise data accuracy and validity (integrity)
- to prevent access to services (availability)
Those that impact all three are the most damaging, which occurs in our ‘extreme’ scenario severity level. Compounding this, an attack on systemically important organisations or software could lead to secondary disruption cascading across multiple industries.
| Level | Scenario severity descriptions | Historical reference |
Major (1 in 30-year probability) | Cyber breaches compromise IT systems: Targeted attacks lead to an increase in the failure of key IT functionality, including business-critical operational systems within financial services, like major payment platforms. This is an availability attack. | None – yet to occur |
Severe (1 in 200-year probability) | Cyber infestation of malware: A ransomware attack with self-replicating encryption malware infects large volumes of hardware. Businesses systems and services become disabled for a long time, and they experience minor disruption, but have a massive and severe data breach. This attack includes confidentiality and availability factors. | None – yet to occur |
Extreme (1 in 1,000-year probability) | Data integrity compromise: A targeted ransomware attack significantly infects hardware. Businesses systems and services are disabled for a long time causing extreme disruption. Fundamental transaction data and backups are severely compromised, resulting in a lack of trust in primary data sources. This attack includes confidentiality, availability and integrity factors. | None – yet to occur |
Our scenario considers the below (as well as some other non-listed attacks) as a precedent evidence base, but represents a significant escalation from any historic events:
- 2017, WannaCry: Following the release of several US NSA identified vulnerabilities seized by the hacktivist unit known as ‘Shadow Brokers’, a piece of malware affecting the EternalBlue exploit in all Windows operating systems supported at the time. The attack lasted only a few hours but affected more than 200,000 computers in more than 100 countries, leading to billions in damage. Major victims of the attack included the UK’s National Health Service which was running unpatched Windows software.
- 2017, NotPetya: Also utilising the EternalBlue vulnerability, NotPetya overwhelming affected systems in Ukraine and Russia, with global damages amounting to around $10 billion. Severely affected was the shipping giant Maersk, which lost contact with half the servers in its network. A power outage in a Nigerian office protected a copy of the company’s active directory and allowed crucial data to be recovered.
- 2022, Albania DDoS attack: A dedicated denial of service attack took place against Albanian government computer systems. Forensic analysis uncovered that disk-wiping malware was employed as well to extensively damage Albania’s digital infrastructure. Another attack occurred a few months later when Albania expelled the Iranian ambassador after the attacks were traced back to Iranian-sponsored cyber groups.
A new risk landscape - geopolitics and cyber
The conflict in Ukraine is a stark reminder of how geopolitical risk can unfold, reshaping the risk landscape and revealing its truly interconnected nature. While cyber attackers can be state sponsored, aligned to central strategic prerogatives and used as asymmetric foreign policy tools, trends show a negative correlation between a state’s military activity and traceable coordinated cyber attacks. For example, we have seen cyber attacks by Russia elsewhere decrease after the invasion of Ukraine[2]. Understandably, as states divert more resources for conventional military action, less emphasis is placed on state asymmetric strategies, like cyber attacks, targeted at other regions.
The modelled data in this scenario reflects this trend, with geopolitically motivated action slightly bringing down the overall probability of small cyber attacks. However, the probability of a large, extremely disruptive, global and indiscriminate cyber attack may increase if major powers that are engaged in a military conflict rapidly begin to lose the conventional fight.
You can find out more about the threat of geopolitical cyber physical risk in our 2021 report, Shifting powers: Physical cyber risk in a changing geopolitical landscape.
[2] https://www.lloyds.com/news-and-insights/futureset/futureset-insights/ukraine-a-conflict-that-changed-the-world
Explore the impact of cyber risk
The economic impact
Disclaimer
This report has been produced by Lloyd's Futureset and Cambridge Centre for Risk Studies for general information purposes only.
While care has been taken in gathering the data and preparing the report Lloyd's and Cambridge Centre for Risk Studies do not, severally or jointly, make any representations or warranties on behalf of themselves or others as to its accuracy or completeness and expressly exclude to the maximum extent permitted by law all those that might otherwise be implied.
Lloyd's and Cambridge Centre for Risk Studies accept no responsibility or liability for any loss or damage of any nature occasioned to any person as a result of acting or refraining from acting as a result of, or in reliance on, any statement, fact, figure or expression of opinion or belief contained in this report. This report does not constitute advice of any kind.
Note that this report does not seek to replace or inform any of the mandatory scenarios which Lloyd’s publishes to support the Realistic Disaster Scenario exercises managing agents are required to undertake in respect of the syndicates managed by them.