A major international cyber-attack could mean economic losses of $53 billion (£40bn) on average and up to $121bn, comparable with natural disasters such as Hurricanes Katrina or Sandy, according to Lloyds of London.
Lloyds, the world’s oldest insurance market, said its projections, issued on Monday, indicate the growing risk posed by the economic system’s dependence on Internet-connected computer systems.
The company, which published the 56-page report in cooperation with computer security firm Cyence, said its findings also reflect how difficult it is to model and understand an area in which there is so little historical data upon which to base assumptions.
The report comes two months after the WannaCry ransomware attack that disrupted NHS services and spread to more than 100 countries, and the more recent NotPetya malware that damaged the computer systems of a number of major companies internationally.
WannaCry caused about $8bn in damages worldwide, with NotPetya leading to $850m in economic costs, according to Cyence.
Lloyds outlines a number of possible scenarios, the most likely of which involves hackers inserting malicious code into cloud-based software which is then spread to a wide variety of customers’ systems, where it lies dormant for a year before triggering crashes.
The losses caused by such an attack range from as little as $15bn to as much as $121bn, with a $53bn average estimate, Lloyds said, with as much as $45bn of uninsured losses.
Large-scale economic damage
The figures are comparable to the $108bn of damage caused by Hurricane Katrina in 2005, including $80bn of uninsured losses, or the $50bn to $70bn in damage estimated to have been caused by Hurricane Sandy in 2012.
“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy,” said Lloyds chief executive Inga Beale in a statement. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs.”
Lloyds said underwriters should ensure their premium calculations keep pace with the reality of such costly threats.
The company outlined a second-most likely threat involving a mass hack of business’ computer operating systems leading to losses of $9.7bn to $28.7bn, the majority of which – $26bn – would not be covrered by insurance.
Financial services face the most risk, followed by the software and technology, hospitality, retail and healthcare sectors.
Lloyds has about one-quarter of the emerging area of cyber insurance and says risks are more difficult to model than natural disasters due to the human element, which means underlying assumptions can change quickly.
How well do you know the cloud? Try our quiz!