A huge global cyber-attack could cost the world economy $121.4bn, according to a new report by one of the world’s biggest insurers, Lloyd’s of London.
In its report, which it has co-written with Cyence, a cybersecurity analytics platform provider, the insurer suggested that the direct economic impacts of cyber events lead to a wide range of potential economic losses. If a major cloud service was disrupted, the losses could range from $4.6bn for a large event to $53.1bn for an extreme event, it said.
While if the attack was through a mass software vulnerability, the losses could range from $9.7bn for a large event to $28.7bn for an extreme event.
However, Lloyd’s said that the economic losses could be much lower or higher than the average in the scenarios because of the uncertainty around cyber-aggregation.
“For example, while average losses in the cloud service disruption scenario are $53 billion for an extreme event, they could be as high as $121.4 billion or as low as $15.6 billion, depending on factors such as the different organizations involved and how long the cloud-service disruption lasts for,” the report reads.
The average of $53bn is on par with the cost of a natural disaster such as US Superstorm Sandy in 2012, while the $120bn ‘extreme’ figure is as much as 0.2% of global GDP, or as much as 2005’s Hurricane Katrina.
“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs,” said Inga Beale, CEO of Lloyd’s.
“Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality,” she added.
Pete Banham, cyber resilience expert at Mimecast, suggested that the doomsday scenarios painted in the report highlight the growing issue of cyber-risk aggregation.
“By adopting a cloud strategy that seeks to reduce the number of vendors, organizations may be tipping towards short term cost savings at the expense of security,” he claimed.
“Cyber-insurance has a role to play but it's also crucial that organizations understand exactly what their policies protect them from and what their terms require them to assume responsibility for.
"Evolving, sophisticated attacks and lack of employee training is leaving organizations at great risk of breaking policy terms,” he added.