Lloyd's: Global Hack - $53B in Losses
July 17, 2017
major global cyber-attack has the potential to trigger $53
billion of economic losses, roughly the equivalent to a
catastrophic natural disaster like 2012’s Superstorm Sandy,
according to a scenario described in new research by Lloyd’s,
and Cyence, a cyber risk analytics modeling firm.
The report, “Counting the cost: Cyber
exposure decoded”, reveals the potential economic
impact of two scenarios: a malicious hack that takes down a
cloud service provider with estimated losses of $53 billion, and
attacks on computer operating systems run by a large number of
businesses around the world which could cause losses of $28.7
billion. By comparison, Superstorm Sandy, the second costliest
tropical cyclone on record, is generally considered to have
caused economic losses between $50 billion and $70 billion.
The findings also reveal that, while demand for cyber insurance
is increasing, the majority of these losses are not currently
insured, leaving an insurance gap of tens of billions of
Inga Beale, CEO of Lloyd’s, said: “This report gives a real
sense of the scale of damage a cyber-attack could cause the
global economy. Just like some of the worst natural
catastrophes, cyber events can cause a severe impact on
businesses and economies, trigger multiple claims and
dramatically increase insurers’ claims costs. Underwriters need
to consider cyber cover in this way and ensure that premium
calculations keep pace with the cyber threat reality.
“We have provided these scenarios to help insurers gain a better
understanding of their cyber risk exposures so they can improve
their portfolio exposure management and risk pricing, set
appropriate limits and expand into this fast-growing, innovative
insurance class with confidence.”
For the cloud service disruption scenario in the report, average
economic losses range from US$4.6 billion from a large event to
$53 billion for an extreme event. This is the average in the
scenario, because of the uncertainty around aggregating cyber
losses this figure could be as high as $121 billion or as low as
$15 billion. Meanwhile, average insured losses range from US$620
million for a large loss to US$8.1 billion for an extreme loss.
In the mass software vulnerability scenario, the average losses
range from US$9.7 billion for a large event to US$28.7 billion
for an extreme event. And the average insured losses range from
US$762 million to US$2.1 billion.
The uninsured gap could be as much as $45 billion for the cloud
services scenario – meaning that less than a fifth (17%) of the
economic losses are actually covered by insurance. The insurance
gap could be as high as $26 billion for the mass vulnerability
scenario – meaning that just 7% of economic losses are covered.
Lloyd’s worked with Cyence to collect data at internet scale to
model cyber risk and evaluate the financial, economic and
insurance impact of these scenarios.
Arvind Parthasarathi, CEO of Cyence, added:
“Cyence is excited to be working with Lloyds on empowering the
insurance industry to understand and model cyber risk.
Leveraging Cyence’s unique cyber risk platform, we’re excited to
see insurers providing more capacity, bringing innovative
products to market with greater confidence and creating a more
robust and sustainable insurance market.”
The economic and insurance consequences of cybercrime are
increasing. In 2016, cyber-attacks were estimated to cost
businesses as much as $450 billion a year (Graham, 2017).
Today, Lloyd’s Class of Business team estimates that the global
cyber market is worth between $3bn and $3.5bn (Stanley, 2017);
by 2020, some analysts estimate it could be worth $7.5bn (PwC,
The report described two scenarios:
1: Cloud service provider hack. A sophisticated group of
“hacktivists” sets out to disrupt cloud-service providers and their
customers to draw attention to the environmental impacts of business
and the modern economy. The group makes a malicious modification to
a “hypervisor” that controls the cloud infrastructure. This causes
many cloud-based customer servers to fail, leading to widespread
service and business interruption.
- Scenario 2: Mass vulnerability attack. A
cyber analyst accidentally leaves his bag on a train that contains a
hard copy of a report on a vulnerability that affects all versions
of an operating system run by 45% of the global market. This report
is traded on the dark web and is purchased by an undetermined number
of unidentified criminal parties who develop system exploits and
begin attacking vulnerable businesses for financial gain.
These figures represent the mean values of simulated loss year
severities for large and extreme loss events, and take into
account all expected direct expenses related to the events.
Impacts such as property damage, bodily injury, as well as
indirect losses such as the loss of customers and reputational
damage are not taken into account.
Economic losses could be much lower or higher than the average
in the scenarios because of the uncertainty around cyber
aggregation. For example, while average losses in the cloud
service disruption scenario are $53 billion for an extreme
event, they could be as high as US$121 billion or as low as
US$15 billion, depending on factors such as the different
organisations involved and how long the cloud service disruption
The challenge with modelling cyber risk and accumulation is the
lack of data from authoritative information sources. Claims and
incident data from past years is not often germane due to the
changing and volatile nature of the risk. And unlike physical
perils, Cyber has accumulation paths with increasing use of
internet networks and technology.