Industry is massively underinsured against a major global cyberattack — which could trigger losses on a par with natural disasters such as Hurricane (Superstorm) Sandy. This is one of the main conclusions of a study conducted by Lloyds of London (the world’s oldest insurance organization with more than 20% of the global cyber insurance market), and Cyence (a risk modeling firm).
The report, “Counting the cost: Cyber exposure decoded” (PDF), examines two attack scenarios. In the first, attackers make a malicious modification to a hypervisor controlling the cloud infrastructure, which causes multiple server failures in multiple cloud customers. In the second, a zero-day vulnerability affecting an operating system with 45% share of the market is obtained by unidentified criminal groups that attack vulnerable businesses for financial gain.
In the first (cloud) scenario, the projected losses range from $4.6 billion for a large event to $53.1 billion for an extreme event. In the second (zero-day) scenario, the projected losses range from $9.7 billion for a large event to $28.7 billion for an extreme event. However, the report also notes that losses could be much lower or very much higher: as low as $15.6 billion or as high as $121.4 billion for an extreme cloud event.
The uninsured gap could be as much as $45 billion for the cloud services scenario – meaning that less than a fifth (17%) of the economic losses are covered by insurance. The insurance gap could be as high as $26 billion for the mass vulnerability scenario – meaning that just 7% of economic losses are covered.
This represents both a major market opportunity for the cyber insurance industry, and a poor understanding of the financial risk level within industry. The warning comes just weeks after major global ransomware attacks (WannaCry and NotPetya) and a U.S. government warning to industrial firms about a hacking campaign targeting the nuclear and energy sectors.
This variation in projected costs is caused by the second major conclusion drawn by the study — neither the security industry nor the underwriting industry yet has sufficient understanding of global cybersecurity risk to formulate accurate risk/exposure figures for insurance purposes.
For example, for motor insurance, the industry has many years of detailed data on motor accidents: types of vehicle, ages of drivers, geolocations and so on; all against a background of improving motor safety. Cyber security, however, has little such data in a market whose conditions are continually worsening with new and more sophisticated attackers. This is further complicated by a poor understanding of liability and risk aggregation in cyber liability.
“The doomsday scenarios painted in the report highlight the growing issue of cyber risk aggregation,” suggests Pete Banham, cyber resilience expert at Mimecast. “By adopting a cloud strategy that seeks to reduce the number of vendors, organizations may be tipping towards short term cost savings at the expense of security.”
“For the insurance industry to capitalize on the growing cyber market,” notes the report, “insurers would benefit from a deeper understanding of the potential tail risk implicit in cyber coverage.” At the same time, it suggests, “Risk managers could use the cyber-attack scenarios to see what impacts cyber-attacks might have on their core business processes, and plan what actions they could take to mitigate these risks.”
“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy,” comments Inga Beale, CEO of Lloyd’s. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.”
It should be noted, however, that the cyber security industry — which could be impacted if industry diverts its primary risk strategy from mitigation (buying security controls) to transference (buying insurance) — has its doubts.
“These are big numbers,” comments David Emm, principal security researcher at Kaspersky Lab; but they don’t mean much unless terms such as ‘serious cyber-attack’ are quantified. How can we assess the global cost of an attack? It could mean anything from a temporary interruption of service to the takeover of customer systems – with very different costs. It’s important for companies to conduct their own risk assessment and develop a strategy that’s designed to secure corporate systems and mitigate the risk of an attack on those systems.”
Two years ago, Lloyd’s predicted that a major successful attack against the U.S. power grid “would cause between $243 billion to more than $1 trillion in economic damage.”