LLOYD’S OF LONDON has said a major cyberattack spanning the globe could cause governments, corporations and individuals to lose as much as US$53 billion on average, putting it on par with natural disasters such as 2012’s Superstorm Sandy.
The insurance market players co-wrote a report with risk-modelling company Cyence that put together a hypothetical situation in which cloud service companies and businesses’ computer operating systems become victims of a major cyberattack.
— John Stoddart (@johnhighfields) November 28, 2016
The hypothetical model examines the fallout of a hacking operation whereby hackers slip malicious code into a cloud service provider’s software. The code would have a built-in delay so they could slip under the defenses and purview of cybersecurity software before being triggered, flooding the providers’ clients.
According to the report, the average cost of such an attack could range anywhere from US$4.6 billion to US$53 billion, depending on the size of the event. However, the high-end of things could push that number up to as high as US$121 billion, which could lead to companies being unable to claim losses from insurers due to a lack of coverage.
As much as US$45 billion of that sum may not be covered by cyber policies due to companies underinsuring, the report said, according to Reuters.
The outcome – though there is largely a general lack of information on exactly how vulnerable insurers are – could be disastrous, easily dwarfing the US$8 billion total global cost companies all over the world incurred as a result of the recent WannaCry ransomware attacks.
“Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event,” Lloyd’s of London chief executive Inga Beale told Reuters.
Insurers are notably struggling to understand where in their networks the biggest vulnerabilities are, especially as the pace of cybercrime picks up worldwide in tandem with rising demand for comprehensive cyber insurance. Reuters notes most companies lack information frameworks they can rely on to assess their clients’ risk profiles and make base assumptions, a significant problem for an industry which thrives on data.
The hypothetical estimations might not be enough for companies who could stand to risk much of their profits if they don’t find a way around their lack of historical information.
Cybersecurity has made headlines over the last three months since two major attacks were made – the WannaCry ransomware crippled more than 200,000 computers in 100 countries while the NotPetya virus, from Ukraine, spread a malicious piece of malware that rendered various factories, law firms and ports inoperable. NotPetya was significantly less costly – globally, it cost organizations US$850 million.