A major global cyber-attack could cost the world up to US$53 billion in economic losses, according to new research by Lloyd’s, the specialist insurance market, and Cyence, a cyber risk analytics modelling firm.
The research reveals the threat from two scenarios: a malicious hack that takes down a cloud service provider with estimated losses of up to $53bn, and attacks on computer operating systems run by tens of thousands of businesses around the world, which could cause losses of $28.7bn.
The research also shows that, while demand for cyber insurance is increasing, the majority of such losses are not currently insured, leaving an insurance gap of tens of billions of dollars.
“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy," said Inga Beale, the chief executive of Lloyd’s. "Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.”
As digital technology innovations, such as the sharing economy, blockchain or the Internet of Things, are multiplying at an unprecedented pace and connecting more deeply with the physical world, cyber risks are likely to rise, according to the World Economic Forum. The number of connected devices will almost triple by 2020, from 13.4 billion to 38.5 billion, and the proportion of products sold via e-commerce is expected to more than double – from 6 per cent in 2014 to 12.8 per cent by 2019, it said. The WEF has called for building resilience as these risks become increasingly tangible. "Global risks can only be effectively dealt with if there is a common understanding of their importance and interconnected nature, and a readiness to engage in multi-stakeholder dialogue and action."
For the cloud service disruption scenario in the Lloyd's/Cyence report, average economic losses range from $4.6bn from a large event to $53bn for an extreme event. This is the average in the scenario, because of the uncertainty around aggregating cyber losses. Unlike traditional property insurance where aggregation is monitored by physical locations, cyber insurance aggregation can span connected systems that extend beyond physical geographies. For instance, the business impact on a leading cloud platform lasts for 24 hours and causes cascaded impacts on other businesses dependent upon its services. The cloud service disruption scenario figure could be as high as $121bn or as low as $15bn, according to the report. Meanwhile, average insured losses range from $620 million for a large loss to $8.1bn for an extreme loss.
In the mass software vulnerability scenario, the average losses range from $9.7bn for a large event to US$28.7bn for an extreme event. And the average insured losses range from $762m to $2.1bn.
For the uninsured gap, losses could be as much as $45bn for the cloud services scenario – meaning less than a fifth (17 per cent) of the economic losses are actually covered by insurance. The underinsurance gap could be as high as $26bn for the mass vulnerability scenario – meaning that just 7 per cent of economic losses are covered.
“This report’s findings suggest economic losses from cyber events have the potential to be as large as those caused by major hurricanes," said Trevor Maynard, the head of innovation, at Lloyd’s. "Insurers could benefit from thinking about cyber cover in these terms and make explicit allowance for aggregating cyber-related catastrophes. To achieve this, data collection and quality is important, especially as cyber risks are constantly changing.”