Lloyd’s of London, one of the world's largest insurers, warns that a well executed cyber attack could cause damages around to world ranging from $53.1 billion to $121.4 billion, according to a report the company released today.
The findings suggest economic losses from cyber events have the potential to be as large as those caused by major hurricanes and other natural disasters. Most of the losses would be in economic nature, as opposed to the physical damages caused by natural disasters.
In the making of its report, Lloyd's has analyzed two possible attack scenarios — one is a hack of a global cloud service provider, such as Amazon, Google, or Microsoft; while the other is a mass vulnerability attack, similar to the WannaCry incident.
Scenario 1: Cloud service provider hack
A sophisticated group of “hacktivists” sets out to disrupt cloud-service providers and their customers to draw attention to the environmental impacts of business and the modern economy. The group makes a malicious modification to a “hypervisor” that controls the cloud infrastructure. This causes many cloud-based customer
servers to fail, leading to widespread service and business interruption.
Scenario 2: Mass vulnerability attack
A cyber analyst accidentally leaves his bag on a train that contains a hard copy of a report on a vulnerability that affects all versions of an operating system run by 45% of the global market. This report is traded on the dark web and is purchased by an undetermined number of unidentified criminal parties who develop system exploits and begin attacking vulnerable businesses for financial gain.
Starting from these two very plausible scenarios, experts from Lloyd's calculated the potential damages, in best and worse case scenarios.
For the cloud service disruption scenario in the report, these losses range from US$4.6 billion for a large event to US$53.1 billion for an extreme event; in the mass software vulnerability scenario, the losses range from US$9.7 billion for a large event to US$28.7 billion for an extreme event.
Experts said that economic losses could be much lower, but in extreme cases, they could reach extreme heights. "For example, while average losses in the cloud service disruption scenario are US$53 billion for an extreme event, they could be as high as US$121.4 billion," experts said.
Lloyd's report comes two months after the WannaCry incident, which was used as the base for Scenario 2. The WannaCry ransomware outbreak affected the activity of thousands of companies across the globe, leading to temporary shutdowns in factories, hospitals, government agencies, and others.
Scenario 1 was built around the idea of a "critical" cloud provider that is so embedded in the Internet's core that a compromise of its service would trickle down to thousands of other Internet services and the vast majority of Internet users. This is why the damages from Scenario 1 are far greater than Scenario 2.
The report also took into account past cyber incidents like the DDoS attacks carried out by the Mirai botnet, and past prevalent ransomware families such as BitLocker.
The Lloyd's report was released to bring attention to the lack of insurance policies that cover cyber incidents. Left uncovered, the financial damages from a cyber incident could very well bury a company in debt, hinder its activity, or force it to shut down.