Economic Damage from Global Cyberattack Would Rival Superstorm Sandy

Report Warns That Fallout From Large Global Cyberattack Could Be As Costly As A Major Natural Disaster

A recent report warns that the fallout from a large worldwide cyberattack could be as costly as a major natural disaster, topping more than $53 billion. As a comparison, Lloyd’s of London cites Superstorm Sandy, which devastated New Jersey and other East Coast states in 2012.

Projecting Cyber Losses

The report, which Lloyd’s prepared with risk-modeling company Cyence, examines the potential losses associated with two hypothetical cyber incidents. In the first, hackers take down a cloud-service provider, which causes many cloud-based customer servers to fail and leads to widespread service and business interruption. In the second, a cyber analyst loses a bag that contains a hard copy of a report on a vulnerability that affects all versions of an operating system run by 45 percent of the global market. Criminals purchase the report on the dark web and begin attacking vulnerable businesses for financial gain.

According to Lloyd’s, the goal of its “Counting the Cost” report is to help insurers and risk managers quantify cyber-risk aggregation. While costly cyberattacks are on the rise, “the understanding of cyber liability and risk exposures is relatively underdeveloped compared with other insurance classes,” the report notes.

In May, the “WannaCry” ransomware attack spread to more than 100 countries and caused $8 billion in damage. One month later, the virus “NotPetya” spread from the Ukraine to businesses across the world, encrypting data and disabling infected computers along the way. It caused an estimated $850 million in economic losses.

Lloyd’s predicts that losses for future cyberattacks could be much higher. Below are several key findings of the report:

• Cyber incidents can wreak widespread havoc on the global economy. For the hypothetical cloud service disruption incident, the predicted losses range from $4.6 billion for a large event to $53.1 billion for an extreme event. The report projects that the mass software vulnerability incident would cause losses ranging from $9.7 billion for a large event to $28.7 billion for an extreme event.
• The uncertainty around cyber aggregation means that economic losses could be much lower or higher than the averages stated above. For example, losses in the cloud service disruption scenario could be as high as $121.4 billion or as low as $15.6 billion, depending on factors such as the different organizations involved and how long the cloud-service disruption lasts.
• Cyberattacks could trigger billions of dollars of insured losses. According to the report, in the cloud-services scenario, insured losses range from $620 million for a large loss to $8.1 billion for an extreme loss. For the mass software vulnerability scenario, the insured losses range from $762 million (large loss) to $2.1 billion (extreme loss).
• The hypothetical cyberattacks reveal there is an insurance gap of between $4 billion (large loss) and $45 billion (extreme loss) in terms of the cloud services attack, which means that between 13 percent and 17 percent of the losses are covered, respectively. The underinsurance gap is between $8.9 billion (large loss) and $26.6 billion (extreme loss) for the mass vulnerability scenario, which means that just 7 percent of economic losses are covered.

Preparing Your Business for Cyberattack

For New York and New Jersey businesses, the report can be helpful in assessing the impacts a major global cyberattack could have on your day-to-day processes. It can also help determine what actions may be necessary to mitigate these risks.

In June 2017, Lloyd’s released another report regarding the cost of cyberattacks. The report, titled “Closing the gap – insuring your business against evolving cyber threats,” warned that many businesses fail to recognize how costly a cyber incident can be, highlighting that reputational harm and loss of competitive advantage can cause long-term damage to a company’s bottom line.

“The reputational fallout from a cyber breach is what kills modern businesses. And in a world where the threat from cyber-crime is when, not if, the idea of simply hoping it won’t happen to you, isn’t tenable,” said Inga Beale, CEO of Lloyd’s “To protect themselves businesses should spend time understanding what specific threats they may be exposed to and speak to experts who can help handle a breach, minimize reputational harm and arrange cyber insurance to ensure that the risks are adequately covered,” she added.

For companies that have not yet considered dedicated cyber insurance, now may be the time. In addition to the rise in cyberattacks and data breaches, many commercial general liability (CGL) policies now expressly exclude such losses. While cyber insurance policies were once reserved for billion-dollar companies operating in high-risk industries, the market has grown significantly in recent years.

Do you have any comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work.