Lloyd’s of London has today warned that a severe cyber attack could cost the global economy more than £92 billion ($120 billion). The report was published two months after the WannaCry ransomware attack , which crippled NHS Trusts and organisations across nearly 100 countries around the world.
The report suggests that the threat posed by such global attacks has now spiralled and poses a huge risk to business and governments over the next decade.
According to the 56-page research, the most likely scenario leading to such economic damage, is a malicious hack that brings down a cloud service provider – such as AWS or Azure – which would cause an estimated loss of $53 billion. This is the average loss estimate, but because of the uncertainty surrounding cyber loss calculation, Lloyds estimates the figure could be as high as $121 billion or as low as $15 billion.
Inga Beale, chief executive of Lloyd’s, said: “This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs.”
“Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber-threat reality.”
The second-most likely threat, according to the report, will originate from cyber attacks on computer operating systems run by large businesses, with losses estimated to reach $28.7 billion (the “mass software vulnerability scenario”).
This brings another issue to the fore: cyber insurance. The majority of these types of losses are not insured, which would leave governments and businesses vulnerable in the increasingly likely event of a cyber attack. Cyber insurance cover is a relatively new, but growing type of insurance that has emerged.
Lloyds’s accounts for about a quarter of global premiums, but says it is harder to model and understand than natural catastrophe cover.
This ‘uninsured gap’ could be as high as $45 billion for the cloud services scenario, and $26 billion for the mass vulnerability scenario, suggests the report.
Trevor Maynard, Lloyd’s head of innovation and co-author of the report with the cyber security firm Cyence, said the global cyber attack in May “showed us that these sorts of attacks are absolutely possible”.
As humans become involved the risk changes quite rapidly, Maynard said, from cyber attacks to terrorism and political risk. This was most recently seen with the Bupa data breach, whereby a disgruntled employee leaked over 500,000 patient records. However, he suggests climate change remains the biggest challenge in the long run.
“From year to year, risk varies relatively little but climate change in the end will be far larger as a risk,” he said. “It affects the global economic structure, food, water. [It’s like] trying to turn a supertanker around – we can’t start in 30 years when things are going bad, we have to start now.”
Rob Wilkinson, corporate security specialist at cyber security company Smoothwall believes this “new report highlights the huge financial risks involved in this relatively ‘new’ – but increasingly common – phenomenon of cyber-attacks. While the report does indeed prompt businesses to insure themselves against such hacks, businesses ranging from SMEs to healthcare organisations need to first ensure they have the appropriate security measures in place, otherwise their insurance policies could be worthless. Would you take out home insurance but leave your house keys in the door on your way out every day?”
“The two most likely cyber-attacks in the report stem from a cloud hack and software infiltration. Cloud, on the whole, has been largely secure of late, but it is attacks on computer operating systems on businesses worldwide which could cost them serious financial – and consequently reputational – damage in the long run. It’s not surprising financial services companies are most at risk, and as a result tends to be an industry with generally increased cyber security measures in place. It is healthcare and local governments that, despite being ‘least at risk’, could actually be most at risk. Hackers could infiltrate hospitals and steal vital patient information, building up a profile of people over time to use for fraudulent or blackmailing purposes – ‘social engineering’.”
“In this vein, every organisation needs to review its internal security systems promptly to ensure they have a layered security defence spanning encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance against threat actors.”
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here