A major cyber-attack disrupting several cloud service providers could lead to an average of $53bn of economic losses and up to $8.1bn of insured losses, a recent report by Lloyd’s and cyber risk analytics modelling firm Cyence has found.
The report also highlighted an enormous and growing cyber protection gap, noting that as little as 7 percent of economic losses could be covered by insurance following a major mass vulnerability attack.
The report, which was developed collaboratively by Lloyd’s and Cyence, outlines the modelled impact of two major cyber scenarios.
Lloyd’s CEO Inga Beale said: “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.”
“We have provided these scenarios to help insurers gain a better understanding of their cyber risk exposures so they can improve their portfolio exposure management and risk pricing, set appropriate limits and expand into this fast-growing, innovative insurance class with confidence.”
Under the cloud service provider hack scenario, which envisages an attack where multiple cloud-based customer servers at the provider fail and cause widespread service and business interruption, the average estimated economic losses ranged from $4.6bn for a large event to $53.1bn for an extreme event.
This is as costly as Superstorm Sandy, which is estimated to have caused economic losses of between $50bn and $70bn.
However, the report highlighted that due to uncertainty surrounding around aggregation, economic losses in an extreme event could be as high as $121.4bn or as low as $15.6bn.
The report noted that the same scenario could trigger insured losses ranging from $620mn for a large loss to $8.1bn for an extreme loss.
Meanwhile, the mass software vulnerability scenario envisages a cyber analyst accidentally leaving his bag on a train that contains a hard copy of a report on a vulnerability that affects all versions of an operating system run by 45% of the global market.
This report is then traded on the dark web and purchased by a number of unidentified criminal parties, who begin attacking vulnerable businesses for financial gain.
Under this scenario, average economic losses were estimated between $9.7bn for a large event and $28.7bn for an extreme event, while average insured losses could range from $762mn to $2.1bn respectively.
The report also revealed a significant underinsurance gap in both scenarios. In the cloud service provider scenario, between 14 and 17 percent of economic losses would be covered by insurance, while only 7 percent of economic losses would be covered in the mass vulnerability scenario.
"This report's findings suggest economic losses from cyber events have the potential to be as large as those caused by major hurricanes. Insurers could benefit from thinking about cyber cover in these terms and make explicit allowance for aggregating cyber-related catastrophes," the report said.
"To achieve this, data collection and quality is important, especially as cyber risks are constantly changing."