Lloyd’s estimates that an extreme cyber attack could result in losses of up $121 billion

July 23, 2017 |

Lloyds has published a report titled Counting the Cost where it estimates that of the potential economic impact of a hypothetical malicious hack on a cloud service provider, and attacks on vulnerable computer systems run by businesses around the world could be as high as $53bn and $28.7bn respectively. A cloud service disruption scenario, because of the uncertainty around aggregating cyber losses could result in losses as high as $121bn, or as low as $15bn. A similar report in 2015, titled Business Blackout, estimated that a cyber attack on the US power grid could result in insurance losses of $21.4bn,

The media report provides:

The report, “Counting the cost: Cyber exposure decoded”, reveals the potential economic impact of two scenarios: a malicious hack that takes down a cloud service provider with estimated losses of $53 billion, and attacks on computer operating systems run by a large number of businesses around the world which could cause losses of $28.7 billion. By comparison, Superstorm Sandy, the second costliest tropical cyclone on record, is generally considered to have caused economic losses between $50 billion and $70 billion.

The findings also reveal that, while demand for cyber insurance is increasing, the majority of these losses are not currently insured, leaving an insurance gap of tens of billions of dollars.

Inga Beale, CEO of Lloyd’s, said:
“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.

“We have provided these scenarios to help insurers gain a better understanding of their cyber risk exposures so they can improve their portfolio exposure management and risk pricing, set appropriate limits and expand into this fast-growing, innovative insurance class with confidence.”

For the cloud service disruption scenario in the report, average economic losses range from US$4.6 billion from a large event to $53 billion for an extreme event. This is the average in the scenario, because of the uncertainty around aggregating cyber losses this figure could be as high as $121 billion or as low as $15 billion. Meanwhile, average insured losses range from US$620 million for a large loss to US$8.1 billion for an extreme loss.

In the mass software vulnerability scenario, the average losses range from US$9.7 billion for a large event to US$28.7 billion for an extreme event. And the average insured losses range from US$762 million to US$2.1 billion.

The uninsured gap could be as much as $45 billion for the cloud services scenario – meaning that less than a fifth (17%) of the economic losses are actually covered by insurance. The insurance gap could be as high as $26 billion for the mass vulnerability scenario – meaning that just 7% of economic losses are covered.

Lloyd’s worked with Cyence to collect data at internet scale to model cyber risk and evaluate the financial, economic and insurance impact of these scenarios.

Arvind Parthasarathi, CEO of Cyence, added:
“Cyence is excited to be working with Lloyds on empowering the insurance industry to understand and model cyber risk. Leveraging Cyence’s unique cyber risk platform, we’re excited to see insurers providing more capacity, bringing innovative products to market with greater confidence and creating a more robust and sustainable insurance market.”

While the introduction to the report provides:

While digitisation is revolutionising business and daily life, it is also making the global economy more vulnerable to cyber-attacks. As the cyber threat grows so the demand for cyber insurance increases.

Today, Lloyd’s Class of Business team estimates that the global cyber market is worth between $3 billion and $3.5 billion. Despite this growth, insurers’ understanding of cyber liability and risk aggregation is an evolving process as experience and knowledge of cyber-attacks grows.

The aim of this report is to provide insurers who write cyber coverage with realistic and plausible scenarios to help quantify cyber-risk aggregation.

By understanding cyber-risk exposure, insurers can improve their portfolio exposure management, set appropriate limits and gain the confidence to expand into this fast-growing insurance class.

The report is designed for risk managers whose businesses are exposed to the types of cyber-attacks described in the report’s two scenarios: a hack that takes down their cloud-service provider or an attack that causes the failure of a particular operating system across their own company, customers, suppliers and/or business partners.

We have also produced a technical guide for underwriters, exposure managers and managing agents in the Lloyd’s market which details how to apply the methodology to risk portfolios.


The Lloyd’s report identified six trends which contributed to digital vulnerability: the volume of contributors to the development of software; the volume of software; open-source software; old software; multi-layered software built on existing code; and software generated through automated processes, which can be modified for malicious intent. A single cyber event had the potential to increase industry loss ratios by 19% and 250% for large and extreme loss events, respectively. Lloyd’s estimated that the global cyber insurance market is today worth between $3bn and $3.5bn.

One Response to “Lloyd’s estimates that an extreme cyber attack could result in losses of up $121 billion”

  1. Lloyd’s estimates that an extreme cyber attack could result in losses of up $121 billion | Australian Law Blogs

    […] Lloyd’s estimates that an extreme cyber attack could result in losses of up $121 billion […]

Leave a Reply

Verified by MonsterInsights