Counting the economic cost: How vulnerable could you be?
Scenario effects
Organisations targeted by the cyber attack are directly impacted, seeing their operations disrupted and potentially incurring significant recovery costs. The loss of a critical payments network also results in significant secondary disruption across a wide range of industries, supply chains and infrastructure that is unable to operate as normal. Other factors affected include a loss of productivity and drop in consumer confidence.
The economic impact
If a cyber attack on a major financial services payment system were to take place, the global loss could reach $3.5 trillion over a five-year period (this is the average loss across the three severities we have modelled). The expected economic loss (this conditional loss multiplied by the probability of the event occurring) would be $140 billion.
Were our least severe scenario to occur, the five-year economic loss could reach $2.3 trillion. Our modelling suggests this could have a 1 in 30-year probability of occurring. Our most severe scenario, modelled at a 1 in 1000 year likelihood, could result in as much as a $16 trillion economic loss over five years.
You can use the interactive tool below to explore the cost of our three severity levels and the conditional expected loss of the scenario.
Recovery
The below graph shows the temporal impact and economic loss of our model across the 5-year period, with the event occurring in 2023. Our cyber scenario causes a devastating shock to the global economy in year one, as by nature, a cyber attack can take place in a matter of seconds, with no warning. A full recovery is anticipated by year three.
Regional risks - how exposed might your region be?
How quickly individual countries and regions recover from the scenario depends on their exposure level, infrastructure, and protection. The three countries who experience the highest 5-year conditional economic loss from the scenario are the United States $1.1 trillion, followed by China $470 billion and then Japan $200 billion.
A country’s vulnerability will typically be based on dependence on the systems affected by the cyber attack for economic productivity. Service sector economies are typically more reliant on information technology than economies dominated by agriculture or heavy manufacturing. As this scenario imagines an attack on payments infrastructure, we have considered e-commerce activity and the productivity of a country’s financial services and financial markets when calculating economic losses.
Use our tool below to explore the potential economic loss and expected economic losses by country and or region at the three levels of severity identified in the scenario.
As an emerging risk, with relatively few historical precedents or public databases that provide geographical, country or city-level identification of cyber risk, the total cost and frequency probability of a global cyber attack can be difficult to model. While our analysis does its best to do so, using historical references and an extensive publication review to calculate the severity and probability, we acknowledge that the threat and financial cost of cyber risk will change as more information becomes available and the threat matures.
Systemic events can affect individual countries, regions or the entire world at once. In our analysis of systemic risk, we use two different models to illustrate the economic impact an event could have on gross domestic product (GDP).
An aggregating model: In this model, a systemic event has a significant ‘ripple effect’ of impacts across the globe. The cost of the event is aggregated up from country and regional levels to provide a global economic loss number.
– For example, the COVID-19 pandemic quickly spread around the world, affecting many countries' economies in a significant way, but did so starting from one location with a cascade of impacts globally
A non-aggregating model: Our non-aggregating model is used for events that have a smaller ripple effect and for scenarios where multiple separate events could occur.
– For example, a volcanic eruption is likely to have a much greater impact in the country in which the volcano erupts. In our non-aggregating model, we do not assume that multiple events occur simultaneously across the globe (i.e. multiple major volcanoes erupting at once)
– Country and regional data in a non-aggregating scenario is based on the event occurring in that region and/or country. Therefore in a non-aggregating scenario, the sum of countries’ economic losses will not equate to total regional or global economic losses
Our major cyber attack scenario losses are calculated using an aggregating model.
Sector risk - which sectors might be most at risk?
Financial sector
The financial sector can be a lucrative target for attackers, and is the sector likely to cause the biggest disruption during and after an attack. However, cyber security maturity levels in financial services are typically high and the industry recognises the impact that any interruption would have on their brand.
In September 2021, customers of Kiwibank could not access their accounts after the bank was subjected to repeated cyber attacks. The DDoS attacks didn’t compromise data or remove funds but caused widespread frustration for customers unable to perform essential banking tasks.[3] In January 2022, a data-wiping malware, WhisperGate, was used in multiple cyber attacks against Ukrainian organisations, rendering targeted devices inoperable and causing significant disruption to their operations .[4]
[3] https://www.stuff.co.nz/business/300417545/kiwibank-app-online-banking-out-of-action-again-changing-banks-soon-as-i-can
[4] https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine;
Information technology (IT)
If a cyber criminal is seeking access to multiple victims, then the IT sector is the ultimate access point, where interlinking technology systems and complex digital supply chains guarantee far-reaching effects. In July 2021, hackers targeted IT systems provider Kaseya which spread malware through its network – affecting around 200 of the provider’s customers.[5]
[5] https://www.bbc.co.uk/news/world-us-canada-57703836
Goods and services
Inconveniencing the general public and destabilising society are often tactics used by malicious actors to pressure institutions into paying ransoms to resolve a cyber attack. In January 2022, KP Snacks wrote to retailers to say it couldn’t safely process orders for a period of least two months because it had been the victim of a ransomware attack.[6]
[6] https://www.techcentral.ie/kp-snacks-supply-chain-shut-down-by-conti-ransomware-attack/
.png)
Other affected sectors
Other notable victims have included manufacturers, healthcare, telecommunications and real estate. More extreme attacks – interrupting power supply, for example – are rare, the most notable being the targeting of Ukraine’s energy infrastructure by Russian hackers in 2015 and following the outbreak of conflict in Ukraine[7]
[7]https://www.forbes.com/sites/jimmagill/2021/07/24/experts-say-cyberattacks-likely-to-result-in-blackouts-in-us/?sh=253748b4372d and https://www.theguardian.com/world/2023/jan/19/cyber-attacks-have-tripled-in-past-year-says-ukraine-cybersecurity-agency
How can risk owners respond?
This scenario represents an extreme outcome given the rigorous risk management processes that organisations managing payments typically have in place. Risk owners in all industries can learn valuable lessons from these approaches to help strengthen their own cyber resilience.
Most participants in the payments industry will have their own in-house software stack, with potentially few common dependencies, meaning that a cyber attack would need to be extremely sophisticated to result in systemic effects. The overall payments process has also developed a lot of robustness as it has evolved, with organisations dealing with issues such as data corruption or system outages in some part of their network as part of their day-to-day operational management. Sensitive data is typically stored in separate sandboxed systems, and extremely rigorous standards force the compartmentalisation of different payments mechanisms, meaning there is little in common between consumer payment processing, data storage, inter-bank lending.
For organisations at risk from cyber attacks, organisational preparedness therefore is key to building resilience. It is all too easy for hackers to gain access through homeworking networks or poor password hygiene. From standard office management software – like the Windows 10 WannaCry attack – to cloud-based suppliers, hackers can leapfrog from company to company through common technologies.
Be vigilant: It is important for businesses and other organisations to actively try to limit their exposure to cyber risk. Best practices such as deploying regular software updates and patches to prevent hackers gaining entry are essential to building resilience against cyber attacks, whilst zero trust identity access frameworks can help reduce the likelihood of unauthorised users from causing detrimental impact. Investing in business continuity planning by considering contingencies, mapping network flows and operational dependencies, is also a fundamental building block to preparing for the unavailability of technology. From staff training to password policies, every action a company takes improves their hand against cyber criminals.
Take collective responsibility: For those who do fall victim to a cyber attack, transparency is vital. We’ve seen through WannaCry how an attack can spread like wildfire across interlinked digital supply chains. Early, clear reporting and a proactive approach to identifying breaches before an attack improves society’s awareness and resilience as a whole[8]. In November 2021, US regulators ordered banks to report any cybersecurity breaches within 36 hours of discovery to limit disruption[9].
Embed new technologies: The use of new technologies can help to provide multiple contingencies for restoration after a mass event. For example, the use of shared ledgers or multiple cloud backups can mean that data and operations can be restored much more quickly, and access to real time data can enable a faster operational response to disruption[10].
Seek risk transfer: Cyber is one of the most complex and critical risks threatening national security and businesses today. The insurance industry is pioneering new ideas and supporting the growth of cyber solutions while working in partnership with customers and governments to tackle this evolving and highly unpredictable threat.
[8] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf and https://www3.weforum.org/docs/WEF_Cyber_Information_Sharing_2020.pdf
[9] https://www.reuters.com/business/finance/banks-ordered-promptly-flag-cybersecurity-incidents-under-new-rule-2021-11-18/
[10] https://www.forbes.com/sites/forrester/2021/12/08/multicloud-is-hard-but-single-cloud-failures-make-it-necessary-for-enterprises/
Download the key insights
We’ve consolidated the insight and key financial data from this scenario in a handy takeaway document.
Further risk insights
Additional insight from the scenario
The scenario narrative
Disclaimer
This report has been produced by Lloyd's Futureset and Cambridge Centre for Risk Studies for general information purposes only.
While care has been taken in gathering the data and preparing the report Lloyd's and Cambridge Centre for Risk Studies do not, severally or jointly, make any representations or warranties on behalf of themselves or others as to its accuracy or completeness and expressly exclude to the maximum extent permitted by law all those that might otherwise be implied.
Lloyd's and Cambridge Centre for Risk Studies accept no responsibility or liability for any loss or damage of any nature occasioned to any person as a result of acting or refraining from acting as a result of, or in reliance on, any statement, fact, figure or expression of opinion or belief contained in this report. This report does not constitute advice of any kind.
Note that this report does not seek to replace or inform any of the mandatory scenarios which Lloyd’s publishes to support the Realistic Disaster Scenario exercises managing agents are required to undertake in respect of the syndicates managed by them.