Research by Lloyd’s of London has revealed a catastrophic cyberattack against a cloud server could cost as much as a devastating hurricane.
The report – “Counting the cost: cyber exposure decoded”, a joint project from Lloyd’s and cyber risk modelling company Cyence – outlines two hypothetical cyber catastrophes, the more dire of which, in its most lethal model, could cost as much as $121 billion.
“Cyber risk is a growing global threat. While digitization is revolutionizing business models and transforming daily lives, it is also making the global economy more vulnerable to cyber-attacks,” the report’s authors state.
“As a result, the economic and insurance consequences of cyber-crime are increasing … The understanding of cyber liability and risk exposure is relatively underdeveloped compared with other insurance classes.”
The report modelled two different cyber disasters and their potential outcomes.
In one scenario, a malicious hack takes down a cloud service provider. According to the modelling, average economic losses from such an attack could range from $4.6 billion from a large event to $53 billion for an extreme event. However, the report noted, this is the average in the scenario.
“Because of the uncertainty around aggregating cyber losses, this figure could be as high as $121 billion or as low as $15 billion,” it said.
“By comparison, Superstorm Sandy, the second costliest tropical cyclone on record, is generally considered to have caused economic losses between $50 billion and $70 billion.”
In the other scenario, a mass vulnerability attack takes down an operating system run by a huge number of businesses on the global market. According to modelling for this scenario, “the average losses range from US$9.7 billion for a large event to US$28.7 billion for an extreme event. And the average insured losses range from US$762 million to US$2.1 billion.”
The demand for cyber insurance is growing as cyber threats grow, but the market is doing enough to capture the full extent of the market, the authors found. Lloyd’s estimates the global cyber market to be worth $3-$3.5 billion but, according to a PricewaterhouseCoopers, by 2020, it could be worth $7.5 billion. P&C insurers wrote $1.35 billion in cyber insurance “direct written premium” in 2016, the report said, “a 35% jump from 2015, according to reports by Fitch Ratings and A.M. Best”.
“Cyber insurance has relatively low penetration rates, especially among SME and middle-market customers, as well as in several industry verticals,” the report said, adding that many buyers do not understand what coverage is available for cyber. “There is also a general lack of standardization around cyber insurance offerings in the marketplace, which makes it hard for risk managers to choose which product to buy. Brokers and insurance companies must do more to address these educational gaps to drive further growth of this important business line.”
Inga Beale, CEO of Lloyd’s, said the report demonstrates just how damaging a truly severe cyberattack could be.
“Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs,” she said. “Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.
“We have provided these scenarios to help insurers gain a better understanding of their cyber risk exposures so they can improve their portfolio exposure management and risk pricing, set appropriate limits and expand into this fast-growing, innovative insurance class with confidence.”