If you want to know what something really costs you knock on the door of people who calculate economic risk. Consider $53 billion: That’s what Lloyd’s of London, which bills itself as the insurance and reinsurance market’s custodian, figures the blow a global cyber attack could deliver to the world’s economy.
Just in case you were wondering, that’s more than Hurricane Katrina in 2005 and the Thailand floods, each of which cost insurers about $45 billion.
In a report delivered today, entitled Counting the cost, Cyber exposure decoded, Lloyd’s, together with Cyence, a risk modeling firm, have taken a stab at the potential economic losses businesses and insurers worldwide could incur from an attack on a cloud service provider and/or on enterprise networks.
Lloyd’s research is aimed at insurers who write cyber policies with “realistic and plausible scenarios” to apply some numbers to cyber risk. The numbers are both staggering and climbing: Lloyd’s pointed to data that estimated cyber attacks as of last year cost businesses up to $450 billion annually.
Cybersecurity Baseline Metrics
Starting with an assumption that the global cybersecurity market is valued at about $3.5 billion right now, the report poses two plausible hacking scenarios of major proportion:
- A hack that takes down a cloud-service provider(s), and/or
- An attack that hits an operating system run by 45 percent of the world's businesses
In the first instance, a group of “hacktivists” disrupts cloud-service providers and their customers to draw attention to the environmental impacts of business and the modern economy. Their attack causes many cloud-based customer servers to fail, leading to widespread service and business interruption.
In the second scenario, a cyber analyst loses a report on an operating system vulnerability affecting about half of the worldwide market. The report is purchased on the dark Web by cyber crooks who then unleash a ransomware attack.
The economic impact in the cloud service disruption scenario could range from $4.6 billion to $53.1 billion, depending on the size of the event, the report said. Actual losses could be as high as $121 billion, depending on the type of organizations involved and the length of the disruption.
In the case of a large-scale software vulnerability, the hit could range from $9.7 billion to $28.7 billion.
For insurers, losses in the cloud services situation could range from $620 million to $8.1 billion. By comparison, in the software vulnerability scenario, insured losses could be between $762 million and $2.1 billion, Lloyd’s figured. The under insurance gap is between $8.9 billion and $26.6 billion for the mass vulnerability scenario – meaning that just 7 percent of economic losses are covered, according to the report.
Cyberattacks: Potential Threats and Risks
Lloyd’s offered a number of factors contributing to the potential risk of cyber threats:
- More developers: The number of software developers could potentially add vulnerability to the system unintentionally through human error.
- More software: An increasing volume of code means heightened potential for errors and vulnerability.
- Open source: Any errors in open source primary code could be copied into subsequent iterations.
- Older software: Many individuals and companies run obsolete software that present easier targets for hackers.
- Multi-layered software: New software is typically built on top of prior code, making testing more difficult.
- Automation: Code produced through automated processes can be modified for malicious intent.
What does Lloyd’s conclude? “Insurers could benefit from thinking about cyber cover in these terms and make explicit allowance for aggregating cyber-related catastrophes.”