There is too little verifiable data about the real costs of cyberattacks and many estimates of the aggregate impact on global and national economies are produced by sources with an interest in inflating them, according to a new survey from a major insurance industry think tank.
“Estimating the costs caused by cyber risk is difficult, as there is high uncertainty and no accepted source of information,” states the report, “Ten Key Questions on Cyber Risk and Cyber Risk Insurance,” published this week by the Zurich-based Geneva Association, a think tank founded by the global insurance industry.
The association, formerly known as the International Association for the Study of Insurance Economics, said in a release that the report’s survey of existing research literature “illustrate[s] the challenges to insuring cyber risk, especially due to a lack of data and modeling approaches, the risk of change and incalculable accumulation risks.” Accumulation risks refers to the combination of losses across different enterprises or lines of business that could result from a single major event — typically like an earthquake, but in this case a cyberattack.
The report notes that cost estimates for the aggregate impact on the global economy of cybercrime and other kinds of malicious hacking vary by orders of magnitude — from around $100 billion to above $1 trillion.
“These numbers also have to be interpreted with caution, as most of them have been estimated by potentially biased security and consulting firms,” the report notes.
In part, the authors say, the large variations are down to different methodologies. Some estimates, for instance, include only direct costs, whereas others count indirect costs as well.
But even within a single report — a McAfee study from 2014 — there are significant variations in the estimated costs to national economies. For example, for the U.S., costs are estimated to be 0.64 percent of GDP; for Japan, however, they are estimated to be 0.02 percent of GDP, and for Germany, a massive 1.60 percent of GDP.
The report notes that such large differences might be reasonable between, say, more developed nations with a greater proportion of their economy online and less developed ones. But it does “not seem plausible intuitively,” that such “extreme variations” should exist among more developed countries.
On the micro level, the report says, there is less variation in the estimates of the cost to victimized companies — although as much as a majority of the expense might be in indirect costs, like a depressed share price and other results of reputational damage.
The report is the first product of a new Geneva Association research program on cyber-risk and innovation, according to the release. It concludes with recommendations for further study by academics; more work by industry on a common lexicon and standards for assessing risk; and incentives and other assistance from governments in the form of insurance pools and other measures.
“Society’s ever-growing reliance on [information and communications technology, or] ICT means that the risks of its failure, be it from malicious acts or system malfunction, are increasingly significant,” said Fabian Sommerrock, the association’s deputy secretary general.
“Future work is necessary not only for the insurance industry and the government, but also much more academic research is needed to improve our understanding of this new and important type of risk,” added Martin Eling, co-author of the report and Director of the Institute of Insurance Economics at the University of St. Gallen.
The lack of data has real consequences, the report says. Insurance market monitor Fitch, for example, recently warned that it will downgrade the credit rating of “insurance companies that write standalone cyber policies too aggressively, because of the high uncertainty this line of business contains.”