Lloyd’s warns of risks of potential cyber ‘superstorm’
London — A major, global cyber attack could trigger an average of $53bn of economic losses, a figure on par with a catastrophic natural disaster such as US Superstorm Sandy in 2012, Lloyd’s of London said in a report on Monday.
The report, co-written with risk-modeling firm Cyence, examined potential economic losses from the hypothetical hacking of a cloud service provider and cyber attacks on computer operating systems run by businesses worldwide.
Insurers are struggling to estimate their potential exposure to cyber-related losses amid mounting cyber risks and interest in cyber insurance. A lack of historical data on which insurers can base assumptions is a key challenge.
"Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event," Lloyd’s of London Inga Beale said.
Economic costs in the hypothetical cloud provider attack dwarf the $8bn global cost of the "WannaCry" ransomware attack in May, which spread to more than 100 countries, according to Cyence.
Economic costs typically include business interruptions and computer repairs.
The Lloyd’s report follows a US government warning to industrial firms about a hacking campaign targeting the nuclear and energy sectors.
In June, an attack of a virus dubbed "NotPetya" spread from infections in Ukraine to businesses around the globe. It encrypted data on infected machines, rendering them inoperable and disrupted activity at ports, law firms and factories.
"NotPetya" caused $850m in economic costs, Cyence said.
In the hypothetical cloud service attack in the Lloyd’s-Cyence scenario, hackers inserted malicious code into a cloud provider’s software that was designed to trigger system crashes among users a year later.
By then, the malware would have spread among the provider’s customers, from financial services companies to hotels, causing all to lose income and incur other expenses.
Average economic losses caused by such a disruption could range from $4.6bn to $53bn for large to extreme events. But actual losses could be as high as $121bn, the report said.
As much as $45bn of that sum may not be covered by cyber policies due to companies underinsuring, the report said.
Average losses for a scenario involving a hacking of operating systems ranged from $9.7bn to $28.7bn.
Lloyd’s has a 20% to 25% share of the $2.5bn cyber insurance market, Beale said in June.