Lloyd's of London has predicted that a global cyber-attack could end up costing anywhere between US$4.6 billion to US$53 billion (£3.5 to £40.5 billion). Such an international catastrophe could put major cyber-attacks on a par with natural disasters like Hurricane Sandy, the insurer said on Monday.
The figure comes as insurers struggle to put concrete currency to this new kind of threat. Cyber-attacks can often puzzle insurers, even as they face a massive growth in demand for the nascent field of cyber-insurance. Cyber-attacks being a relatively new phenomenon, insurers are often deprived of the actuarial data which would be so plentiful in other fields.
The costs incurred off the back of a cyber-attack often include business stoppage, product damage, managing public relations fallout and, of course, IT assistance in recovering from a breach.
Lloyd's itself has around a quarter share of the cyber-insurance market, according to Inga Beale, Lloyd's of London's chief executive who talked to Reuters.
The sizable figure that the report points to refers not to the losses of individual companies but to losses incurred as a result of a massive global cyber-attack, causing major disruption in the international economy.
In the last couple of months the world has witnessed the likes of WannaCry and Petya/NotPetya ravaging the networks and bank accounts of companies around the world. WannaCry is estimated to have cost $8 billion (£6 billion) and days after Petya/NotPetya, billion dollar companies were still reporting a slow recovery and tens of millions in lost revenue.
The attack hit on the eve of international consumer goods giant Reckitt Benckiser's third quarter, and the firm predicted it would take a £100 million bite out of the company's revenue.
Startling though Lloyds' prediction might be, the estimate should not be taken at face value, David Emm, principal security researcher at Kaspersky Lab, told SC: “These are big numbers, but they don't mean much unless terms such as ‘serious cyber-attack' are quantified. How can we assess the global cost of an attack? It could mean anything from a temporary interruption of service to the takeover of customer systems – with very different costs.”
That number could get worse without a fundamental change of mindset, Dean Ferrando, systems engineering manager at Tripwire, told SC. Organisations need to “understand that securing IT infrastructures, endpoint devices and data is not a simple case of having the latest technology.”
“If enterprises are to avoid being stung by a cyber-attack they need a security hygiene programme that incorporates educating the workforce about security, installing protective platforms which involves investing in the right technology. An important point to mention would be that having the right technology also means maintaining the basic levels of patching. If everyone implemented this and followed the business recommended processes, then we would start to see a reduced number in attacks and the costs that surround them.”