A major, global cyber attack could trigger an average of $53 billion of economic losses, a figure on par with a catastrophic natural disaster such as US Superstorm Sandy in 2012, Lloyd’s of London said in a report on Monday.
The report, co-written with risk-modeling firm Cyence, examined potential economic losses from the hypothetical hacking of a cloud service provider and
cyber attacks on computer operating systems run by businesses worldwide.
Insurers are struggling to estimate their potential exposure to cyber-related losses amid mounting cyber risks and interest in cyber insurance.
A lack of historical data on which insurers can base assumptions is a key challenge. "Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event," Lloyd's of London chief executive Inga Beale told Reuters. Economic costs in the hypothetical cloud provider attack dwarf the $8 billion global cost of the "WannaCry" ransomware attack in May, which spread to more than 100 countries, according to Cyence.
Economic costs typically include business interruptions and computer repairs. The Lloyd's report follows a US government warning to industrial firms about a hacking campaign targeting the nuclear and energy sectors. In June, an attack of a virus dubbed "NotPetya" spread from infections in Ukraine to businesses around the globe.
It encrypted data on infected machines, rendering them inoperable and disrupted activity at ports, law firms and factories. “NotPetya” caused $850 million in economic costs, Cyence said. In the hypothetical cloud service attack in the Lloyd’s-Cyence scenario, hackers inserted malicious code into a cloud provider’s software that was designed to trigger system crashes among users a year later.
By then, the malware would have spread among the provider’s customers, from financial services companies to hotels, causing all to lose income and incur other expenses. Average economic losses caused by such a disruption could range from $4.6 billion to $53 billion for large to extreme events. But actual losses could be as high as $121 billion, the report said. As much as $45 billion of that sum may not be covered by cyber policies due to companies underinsuring, the report said. Average losses for a scenario involving a hacking of operating systems ranged from $9.7 billion to $28.7 billion. Lloyd’s has a 20 percent to 25 percent share of the $2.5 billion cyber insurance market, Beale said in June.