How much does a cyber-attack cost?

By Kim Darrah


As cybersecurity continues to dominate political agendas around the world, a report published by Lloyds of London estimates a severe cyber-attack could cost the global economy more than Hurricane Katrina.

A report co-written by Lloyds of London and risk-modeling firm Cyence has sought to identify just how vulnerable the global economy is to cyber-attacks. The report comes shortly after the NotPetya disaster, which saw a cyber-virus spread to businesses in more than 100 countries around the world.

According to Cyence: “The insurance industry requires an economic model around cyber-risk, which not only addresses the question on frequency (probability), but also answers questions on severity (how bad is the event going to be?), financial loss (how much is it going to cost?), and recurrence (if a company had an event, what is their probability of having a follow-on event?).”

The report underscored the mounting threat cyber-attacks pose to both businesses and governments. In particular, it modeled a hypothetical hack of a cloud services provider. According to the report, such an attack would result in economic losses ranging from $4.6bn to $53bn. And, in the most extreme cases, losses could rise to as much as $121bn. At the higher end, such losses would be on par with those inflicted by some of the most extreme natural disasters, such as hurricanes Katrina and Sandy.

“In the most extreme cases, a cyber-attack could see losses rise to as much as $121bn.”

As reported by The Guardian, Lloyds Chief Executive Inga Beale said: “This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber-events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs… underwriters need to consider cyber-cover in this way and ensure that premium calculations keep pace with the cyber-threat reality.”

Talking of the challenges cyber-risk modeling presents, Cyence said: “The world’s companies are increasingly realising that cybersecurity is not just a technical problem but a business risk. It has to be managed like other business risk, not only through a combination of risk prevention and mitigation (technology products and services), but also through risk transfer (insurance).”

The cyber-insurance industry struggles to model risk due to a lack of historical data, as well as the human element behind most attacks. Despite such complications, the industry is quickly growing: according to insurance broker Marsh, the cyber-insurance industry is currently worth over $3bn, and is expected to double in the next few years.





Please enter your comment!
Please enter your name here