A successful major hacking attack on a global cloud provider could easily end up costing more than a huge natural disaster like Superstorm Sandy, and it could cripple the nascent cyber-insurance market even though only a fraction of the losses would be covered, a new report says.
The report, which underlines the high volatility and low risk visibility that cyber-insurers face, was co-produced by venerable insurance market-maker Lloyd’s of London and Silicon Valley risk-management company Cyence.
Its authors acknowledge it is hard to estimate losses from future large cyber-events with any degree of exactitude. “The understanding of cyber liability and risk exposures is relatively underdeveloped compared with other insurance classes,” they write. “Traditional insurance risk modeling relies on authoritative information sources such as national or industry data, but there are no equivalent sources for cyber-risk.”
As a result, there is a very wide range of possible cost totals, depending on how the impact cascades through the economy.
The report examines two possible cyber scenarios: One in which cloud infrastructure is attacked by hacktivists, causing the companies that rely on it to be cut off; and another in which “a vulnerability that affects all versions of an operating system run by 45 percent of the global market” is accidentally exposed and ends up for sale to the highest bidder on the dark web.
In the cloud scenario, the report says, a “large” event would cause direct economic losses of $4.6 billion, compared with $53.1 billion for an extreme event. The range of possible losses from an “extreme” event, meanwhile, run from $15.6 billion to as high as high as $121.4 billion, “depending on factors such as the different organizations involved and how long the cloud-service disruption lasts for.”
These figures can be compared to the economic costs of Superstorm Sandy, which were $70 billion, according to the Insurance Journal.
In the mass vulnerability scenario, the direct losses range from $9.7 billion for a large event to $28.7 billion for an extreme one.
Only a fraction is covered
Insurers in the U.S. earned $1.35 billion in cyber-insurance premiums last year, a 35 percent jump from 2015, according to Fitch Ratings. But Lloyd’s estimates that the global cyber market is currently worth between $3 billion and $3.5 billion, according to the report, which adds that some analysts expect that to double in size over the next three years.
As a result, “Cyberattacks have the potential to trigger billions of dollars of insured losses,” the report points out, although the authors acknowledge that less than 20 percent of the economic losses would be covered by insurance even under the most optimistic predictions.
In the cloud-hacking scenario, the “insurance gap” between what’s lost and what’s claimable, could run from as low as $4 billion in a large event, to as much as $45 billion in an extreme one — “meaning that between 13% and 17% of the losses are covered, respectively.”
In the mass vulnerability scenario — in part because the costs are more widely spread among individuals and small enterprises — just 7 percent of economic losses would be covered by insurance.
But even with those low levels of coverage “a single cyber event has the potential to increase industry loss ratios by 19 percent [for a large event] and 250 percent [for an extreme one],” the authors write.
“This illustrates the catastrophe potential of the cyber-risk class,” they conclude.
“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs,” Inga Beale, CEO of Lloyd’s, said in a statement.