Lloyd’s Puts Potential Cyber Attack Loss in Range of Hurricane Sandy

LONDON – A major cyberattack could cause as much as $53 billion in economic losses around the world, putting it in the same category as Hurricane Sandy, which hit the East Coast of the United States in 2012, Lloyd’s has warned in a report.

The report, “Counting the cost: Cyber exposure decoded,” was prepared by Lloyd’s and cyberrisk modeling firm Cyence. The document sketched two possible incidents: a $53 billion malicious hack of a cloud service provider; and a range of attacks, costing $28.7 billion, on computer systems around the world. Lloyd’s and Cyence pointed to the estimated economic losses of between $50 billion and $70 billion from Sandy.

The Lloyd’s-Cyence report said there is a cyberrisk insurance gap in the range of tens of billions of dollars, with the majority of potential losses not covered.

“This report gives a real sense of the scale of damage a cyberattack could cause the global economy,” Inga Beale, chief executive officer of Lloyd’s, said in a statement. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.”

Lloyd’s has detailed the possible incidents, Beale said, in order to encourage insurers to consider both their cyber exposures and their limits in a “fast-growing, innovative insurance class.”

The economic loss from an attack on a cloud system, the report said, could range upwards from $4.6 billion. “Meanwhile, average insured losses range from US$620 million for a large loss to US$8.1 billion for an extreme loss,” the report said.

A broad-based software incident, the report said, could produce economic losses from $9.7 billion, with the average insured losses ranging from $762 million to $2.1 billion.

The report put the uninsured gap surrounding a cloud-based incident at as high as $45 billion. This, Lloyd’s said, would mean just 17% of the economic losses would be insured.

“Cyber, as we all know, is the one of the most challenging risks that insurers and businesses are facing in today’s world,” Jon Hancock, director of performance management at Lloyd’s, told a seminar at Lloyd’s on the launch of the report. “It is fast-evolving as changes in technology drive both attack and defense strategies. It’s also just naturally by its newness one of the least-understood risks.”

Hancock said Lloyd’s is committed to increasing its market share in cyber, which he likened to Lloyd’s three centuries of experience in natural catastrophes. He said cyber premiums are predicted to double in the next three years.

Hancock, who emphasized Lloyd’s determination to increase its understanding of cyberrisk and exposures, listed previous studies Lloyd’s has released in this area. “Ultimately we do want to help businesses build greater resilience into their models,” he said.

Lloyd’s reports, Hancock said, have considered such issues as the possible effects of an attack on the U.S. power grid; and how organizations can help mitigate the impact of cyberattacks.

“We’re publishing a lot of material on this, and we will continue to do so,” Hancock said.

Sean Kanuck, director of future conflict and cybersecurity for Cyence, said the report was “an important stepping stone in maturing the conversation about how to think about the costs and develop this marketplace with a full appreciation of strategic trends.”

Kanuck, who cited his background in cyber analysis for the U.S. intelligence community, said he tends to think of global information risk rather than security. Networks, he suggested, will be compromised, particularly as the means of breaching data defenses are converging.

In the intelligence and national security world, Kanuck said, “you don’t think about building things. You think about breaking them.”

Kanuck said a rapidly increasing rate of technological change will create concerns as well as opportunities for those organizations that can provide products to help manage and transfer that risk.