Extreme cloud attack could pack as much of a cost wallop as Hurricane Sandy

A malicious hack that fells a cloud service provider for a time has the potential to produce estimated economic losses of as much as US$53 billion, in line with the hit delivered by Superstorm Sandy, suggests a new research scenario from speciality insurer Lloyd’s and cyber risk analytics modelling firm Cyence.

Superstorm Sandy, the second costliest tropical cyclone on record, is generally considered to have caused economic losses between US$50 billion and US$70 billion, Lloyd’s notes in releasing Counting the Cost: Cyber Exposure Decoded, which contains two scenarios.

“Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs,” Inga Beale, CEO of Lloyd’s, says in the statement.

Related: New cyberattack causes mass disruption globally

“Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality,” Beale contends.

Lloyd’s worked with Cyence to collect data at Internet scale to model cyber risk and evaluate the financial, economic and insurance impact of these scenarios.

In the cloud scenario, a group of sophisticated hacktivists makes a malicious modification to a “hypervisor” that controls the cloud infrastructure, causing the servers of many cloud-based customers to fail and leading to widespread service and business interruption.

Average economic losses range from US$4.6 billion for a large event to US$53 billion for an extreme event. Average insured losses, for their part, range from US$620 million for a large loss to US$8.1 billion for an extreme loss, the scenario indicates.

Economic losses, though, could be far higher or lower than the average “because of the uncertainty around cyber aggregation,” the reports notes. For example, losses in the cloud service disruption scenario could be as high as US$121 billion or as low as US$15 billion, depending on things such as the organizations involved and the duration of the disruption.

Less costly – but at US$28.7 billion, still enormous – is the second scenario, which outlines potential costs associated with attacks on computer operating systems run by a large number of businesses around the world.

The scenario involves a cyber analyst accidentally leaving on a train a bag containing a hard copy of a report on a vulnerability that affects all versions of an operating system run by 45% of the global market. Traded on the dark web and purchased by an undetermined number of unidentified criminal parties, they then develop system exploits and begin attacking vulnerable businesses for financial gain.

“The average losses range from US$9.7 billion for a large event to US$28.7 billion for an extreme event. And the average insured losses range from US$762 million to US$2.1 billion,” notes the statement.

“These figures represent the mean values of simulated loss year severities for large and extreme loss events, and take into account all expected direct expenses related to the events,” the statement explains, but adds impacts such as property damage, bodily injury, loss of customers and reputational damage are not included.

Whichever scenario, the research shows that despite increasing demand for cyber insurance, “the majority of losses that would be sustained are currently uninsured, leaving a coverage gap of tens of billions of dollars.”

The uninsured gap could be as much as US$45 billion for the cloud services scenario and as high as US$26 billion for the mass vulnerability scenario.

“Today, Lloyd’s Class of Business team estimates that the global cyber market is worth between US$3 billion and US$3.5 billion,” notes the report. “Despite this growth, insurers’ understanding of cyber liability and risk aggregation is an evolving process as experience and knowledge of cyber attacks grows.”

Related: Cyber line expected to be one of the leading P&C growth areas in the U.S. over the next few years: A.M. Best

Scenario figures are meant to help insurers “improve their portfolio exposure management and risk pricing, set appropriate limits and expand into this fast-growing, innovative insurance class with confidence,” Beale comments.

Citing the potential economic losses associated with cyber events, insurers could benefit from thinking about cyber cover and making “explicit allowance for aggregating cyber-related catastrophes,” says Trevor Maynard, head of innovation for Lloyd’s.

Data collection and quality is important, “especially as cyber risks are constantly changing,” Maynard emphasizes.

“Cyence is excited to be working with Lloyd’s on empowering the insurance industry to understand and model cyber risk,” says company CEO Arvind Parthasarathi.

“The cyber threat is increasing and is expected to continue to do so as the world economy continues to digitize operations, supply chains and businesses transactions, as well as employee and customer services,” the report states.

“For the insurance industry to capitalize on the growing cyber market, insurers would benefit from a deeper understanding of the potential tail risk implicit in cyber coverage,” it suggests.

Related: Gains, losses in efforts to combat cyber crime in 2016: Trustwave

“Cyber liability is still at an early stage compared to other coverage lines and deeper understanding of exposures will help the market move towards more expansive coverage and set adequate limits that meet the insurance needs presented by cyber risk,” the report advises.

“Insureds’ use of the Internet is also changing, causing cyber risk accumulation to change rapidly over time in a way that other perils do not,” it points out.

That being the case, it is important to keep on top of trends to understand cyber aggregation, including the following:

• the number of people developing software has increased, with each contributor potentially adding vulnerability to the system unintentionally through human error;
• the amount of code in existence is increasing, meaning the potential for more errors and, therefore, greater vulnerability;
• because new software is typically built on top of prior software code, this makes software testing and correction difficult and resource intensive; and
• code can be produced through automated processes that can be modified for malicious intent.

“The aggregation potential of the losses from these scenarios shows that cyber risks should be considered as cat exposed classes,” the report states.

“In property classes that are exposed to aggregating risks it is typical to include catastrophe loading in technical premium calculations and capital models, and this or similar approaches may be appropriate for cyber business going forward, especially as insurance penetration rates rise,” it recommends.