Cost of 'extreme' cyber attack could hit $121 billion, says Lloyd's
In an analysis (8 page / 676KB PDF) of the potential economic impact of a hypothetical malicious hack on a cloud service provider, and attacks on vulnerable computer systems run by businesses around the world, Lloyd's estimated the losses could be $53bn and $28.7bn respectively on an average basis.
However it said in the cloud service disruption scenario, because of the uncertainty around aggregating cyber losses, this figure could be as high as $121bn, or as low as $15bn.
Cybersecurity and insurance expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said insurers were faced with significant challenges in modelling losses from cyber attacks due to lack of data.
"Unlike traditional catastrophe losses due to natural causes, insurers do not have any meaningful claims data to draw on to model catastrophe cyber losses and price products," Birdsey said. "Recent events have shown how cyber attacks can proliferate quickly on a worldwide scale.”
“The speed with which endemic cyber risk can spread across the globe means that such a cyber loss is a very worst-case scenario for insurers and can quickly become catastrophic loss,” Birdsey said.
Major natural disasters such as Superstorm Sandy have caused economic losses of between $50bn and $70bn.
Lloyd's estimated that the uninsured gap could be as high as $45bn for the cloud services scenario and $26bn for the vulnerability scenario, with the vast majority of economic losses not covered by insurance.
Birdsey said: “The financial cost of a major cyber event is often not appreciated by companies. The financial and reputational cost in terms of business interruption and remediation can be substantial. Companies generally underestimate the impact of a cyber event including the financial cost of dealing with and containing it.”
The Lloyd's report identified six trends which contributed to digital vulnerability: the volume of contributors to the development of software; the volume of software; open-source software; old software; multi-layered software built on existing code; and software generated through automated processes, which can be modified for malicious intent.
It said a single cyber event had the potential to increase industry loss ratios by 19% and 250% for large and extreme loss events, respectively. Lloyd's estimated that the global cyber insurance market is today worth between $3bn and $3.5bn.
Lloyd's chief executive Inga Beale said underwriters needed to consider cyber cover and ensure premiums kept pace with the reality of the threat to technology systems.
Previous estimates of the insurance implications of a cyber attack on the US power grid would be suggested insurance losses from such an incident would be $21.4bn, and possibly as much as $71.1bn, according to an earlier Lloyd's report.