Losses from a major cyber-attack could soon rival the damage bill from a major hurricane, according to a new report, “Counting the cost: Cyber exposure decoded”, released by Lloyd’s of London and cyber risk analytics firm Cyence.
The report highlights two specific cyber scenarios and the financial consequences of them occurring, looking at the importance of measuring cyber risk in terms of dollars and probabilities. In each scenario modelled, total losses reached into the tens of billions for extreme return periods.
"This report's findings suggest economic losses from cyber events have the potential to be as large as those caused by major hurricanes,” said Trevor Maynard, head of innovation at Lloyd's. “Insurers could benefit from thinking about cyber cover in these terms and making explicit allowances for aggregated cyber-related catastrophes. To achieve this, data collection and quality is important, especially as cyber risks are constantly changing."
In the first scenario, a group of "hacktivists" set out to disrupt cloud service providers' infrastructure to draw attention to the environmental impacts of cloud-based businesses. The group inserts a malicious modification to an infrastructure's code that can be exploited to trigger system-wide failures, leading to widespread service and business interruption. Across all industries, Cyence's extreme loss simulations are estimated at $53 billion in just 2-3 days.
In the second scenario, a hard copy of a zero-day vulnerability report affecting all versions of an operating system used by 45 percent of the global market makes its way into the hands of a malicious actor by human error. This report is purchased on the dark web by criminal parties who develop system exploits and attack vulnerable businesses for financial gain. Cyence calculated that a cyber scenario of this scale could cause estimated losses totalling $28.7 billion.
The report was designed to deepen insurers' and risk managers' understanding of cyber risk exposure to improve portfolio exposure management, set appropriate limits and expand confidently into this quickly-growing line of insurance. Furthermore, these scenarios will be critical in moving the industry as a whole toward a standardized approach of measuring cyber risk in the wake of the growing number of high-profile cyber events.
"To date, no computer has been created that could not be hacked—a sobering fact given our radical dependence on these machines for everything from our nation's power grid to air traffic control to financial services,” said Marc Goodman, advisor to Cyence and global cyber risk strategist. “Economic losses are growing exponentially and all companies need a strategy to mitigate cyber risk in today's world.”
"Collaborating with Lloyd's market groups and technical third-party experts allowed us to ensure these scenarios were plausible and relevant to the insurance risk management community," said George Ng, chief technology officer and co-founder at Cyence. "Our goal is to arm companies with a common framework to discuss and understand cyber risk in a big picture, accessible manner. It's a complex and constantly evolving landscape, but with our economic modeling-based approach, we can confidently move the market closer to the standardized aggregation frameworks and resiliency models common to traditional property & casualty insurance coverage lines."
Lloyd's, Cyber attack, Inga Beale, Losses, London, Global