Unnatural disaster: Lloyd’s says big cyber-attack could cost world economy US$120b, as much as Hurricane Katrina

Lloyd’s of London has warned that a serious cyber-attack could cost the global economy more than US$120billion – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.

Published two months after a ransomware cyber-attack that hobbled NHS hospitals in Britain and hit nearly 100 countries, a 56-page report from the world’s oldest insurance market says the threat posed by such global attacks has spiralled and poses a huge risk to business and governments over the next decade.

The most likely scenario is a malicious hack that takes down a cloud service provider with estimated losses of US$53billion, according to Lloyd’s. This is the average estimate, but because of the uncertainty around calculating cyber losses it estimates the figure could be as high as US$121billion or as low as US$15billion.

At the upper end, the cost would outstrip the damage wreaked by Hurricane Katrina in 2005, estimated at US$108billion (including US$80billion of insured losses). Hurricane Sandy in 2012 is estimated to have caused economic losses of US$50billion-US$70billion.

Inga Beale, chief executive of Lloyd’s, said: “This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs.

“Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber-threat reality,” she said.

The second-most likely threat stems from attacks on computer operating systems run by a large number of businesses around the world, which could cause losses of up to US$28.7billion (the “mass software vulnerability scenario”).

The majority of these losses are not insured, leaving governments and businesses vulnerable if cyber-attacks happen. The uninsured gap could be as high as US$45billion for the cloud services scenario, and US$26billion for the mass vulnerability scenario.

Trevor Maynard, Lloyd’s head of innovation and co-author of the report with the cybersecurity firm Cyence, said the global cyberattack in May “showed us that these sorts of attacks are absolutely possible”. Financial services is most at risk, followed by software and technology, hospitality, retail and healthcare.

Cyber cover is a relatively new type of insurance that has emerged in the last few years – Lloyds’s accounts for about a quarter of global premiums – and harder to model and understand than natural catastrophe cover.

Where people are involved, risk changes quite rapidly, Maynard said, from cyber-attacks to terrorism and political risk. However, climate change remains the biggest challenge in the long run.

“From year to year, risk varies relatively little but climate change in the end will be far larger as a risk,” he said. “It affects the global economic structure, food, water. [It’s like] trying to turn a supertanker around – we can’t start in 30 years when things are going bad, we have to start now.”