Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Industry Massively Underinsured Against Global Cyber Attacks: Study

Industry is massively underinsured against a major global cyberattack — which could trigger losses on a par with natural disasters such as Hurricane (Superstorm) Sandy. This is one of the main conclusions of a study conducted by Lloyds of London (the world’s oldest insurance organization with more than 20% of the global cyber insurance market), and Cyence (a risk modeling firm).

Industry is massively underinsured against a major global cyberattack — which could trigger losses on a par with natural disasters such as Hurricane (Superstorm) Sandy. This is one of the main conclusions of a study conducted by Lloyds of London (the world’s oldest insurance organization with more than 20% of the global cyber insurance market), and Cyence (a risk modeling firm).

The report, “Counting the cost: Cyber exposure decoded” (PDF), examines two attack scenarios. In the first, attackers make a malicious modification to a hypervisor controlling the cloud infrastructure, which causes multiple server failures in multiple cloud customers. In the second, a zero-day vulnerability affecting an operating system with 45% share of the market is obtained by unidentified criminal groups that attack vulnerable businesses for financial gain.

In the first (cloud) scenario, the projected losses range from $4.6 billion for a large event to $53.1 billion for an extreme event. In the second (zero-day) scenario, the projected losses range from $9.7 billion for a large event to $28.7 billion for an extreme event. However, the report also notes that losses could be much lower or very much higher: as low as $15.6 billion or as high as $121.4 billion for an extreme cloud event.

The uninsured gap could be as much as $45 billion for the cloud services scenario – meaning that less than a fifth (17%) of the economic losses are covered by insurance. The insurance gap could be as high as $26 billion for the mass vulnerability scenario – meaning that just 7% of economic losses are covered.

This represents both a major market opportunity for the cyber insurance industry, and a poor understanding of the financial risk level within industry. The warning comes just weeks after major global ransomware attacks (WannaCry and NotPetya) and a U.S. government warning to industrial firms about a hacking campaign targeting the nuclear and energy sectors. 

This variation in projected costs is caused by the second major conclusion drawn by the study — neither the security industry nor the underwriting industry yet has sufficient understanding of global cybersecurity risk to formulate accurate risk/exposure figures for insurance purposes.

For example, for motor insurance, the industry has many years of detailed data on motor accidents: types of vehicle, ages of drivers, geolocations and so on; all against a background of improving motor safety. Cyber security, however, has little such data in a market whose conditions are continually worsening with new and more sophisticated attackers. This is further complicated by a poor understanding of liability and risk aggregation in cyber liability.

“The doomsday scenarios painted in the report highlight the growing issue of cyber risk aggregation,” suggests Pete Banham, cyber resilience expert at Mimecast. “By adopting a cloud strategy that seeks to reduce the number of vendors, organizations may be tipping towards short term cost savings at the expense of security.”

Advertisement. Scroll to continue reading.

“For the insurance industry to capitalize on the growing cyber market,” notes the report, “insurers would benefit from a deeper understanding of the potential tail risk implicit in cyber coverage.” At the same time, it suggests, “Risk managers could use the cyber-attack scenarios to see what impacts cyber-attacks might have on their core business processes, and plan what actions they could take to mitigate these risks.”

“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy,” comments Inga Beale, CEO of Lloyd’s. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.”

It should be noted, however, that the cyber security industry — which could be impacted if industry diverts its primary risk strategy from mitigation (buying security controls) to transference (buying insurance) — has its doubts. 

“These are big numbers,” comments David Emm, principal security researcher at Kaspersky Lab; but they don’t mean much unless terms such as ‘serious cyber-attack’ are quantified. How can we assess the global cost of an attack? It could mean anything from a temporary interruption of service to the takeover of customer systems – with very different costs. It’s important for companies to conduct their own risk assessment and develop a strategy that’s designed to secure corporate systems and mitigate the risk of an attack on those systems.”

Two years ago, Lloyd’s predicted that a major successful attack against the U.S. power grid “would cause between $243 billion to more than $1 trillion in economic damage.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...