Lloyd’s Systemic Cyber Risk Scenario: Potential Global Economic Losses of $3.5trn

Lloyd’s published a systemic risk scenario that models the global economic impact of a hypothetical but plausible cyber attack on a major financial services payments system, resulting in widespread disruption to global business and potential global economic losses of $3.5trn (see Global Economic and Insurance Market Outlook 2024).

The recovery time for individual countries or regions depends on the structure of their economy, exposure levels and resilience.

The three countries that experience the highest 5-year economic loss from the scenario are the United States $1.1trn, followed by China $470bn and Japan $200bn.

Cyber attacks continue to threaten businesses and governments, with year-on-year costs around maintenance, prevention, and response to attacks increasing (see How Does Cyber Security Hygiene Reduce the Risk of Cyberattacks?).

Cyber remains a risk that has the potential to affect all areas of society, as it is both a complex and connected risk impacting areas such as supply chains and geopolitics.

Cyber insurance market risks

The global interconnectedness of cyber means it is too substantial a risk for one sector to face alone and therefore we must continue to share knowledge, expertise and innovative ideas across government, industry and the insurance market to ensure we build society’s resilience against the potential scale of this risk.

Cyber insurance is a growing market, estimated at just over $9bn in Gross Written Premiums last year, and forecast to hit between $13bn and $25bn by 2025.

However this still represents a small portion of the potential economic losses that businesses and society face.  

We are committed to building resilience around systemic risk and the risk scenario released today highlights the important role of insurance in supporting and protecting customers against the potential threat cyber poses to businesses and society

Bruce Carnegie-Brown, Lloyd’s Chairman

With over a fifth of the world’s cyber premium being placed in the Lloyd’s market, Lloyd’s is seeking to support the growth of the class thoughtfully and sustainably – while also enabling innovation for new products, for example through the Lloyd’s Lab.

Lloyd’s Futureset held its first Cyber Innovation Forum, connecting customers with representatives from technology, government, and insurance sectors to discuss global cyber risk and the collective steps needed to respond (see Ransomware Attacks in the United States).

Global Cyber Systemic Risk

Lloyd’s define systemic risk as a low likelihood, high impact risk which affects either a systemically important global enterprise or multiple sectors, societies, or national economies. They can be global in impact, often hitting billions of people simultaneously.

Among the other systemic risk scenarios modelled in the research are geopolitical conflict, and extreme weather events leading to food and water shock and economic stagnation.

Produced in partnership with the Cambridge Centre for Risk Studies, the research explores nine hypothetical (but plausible) systemic risk scenarios and is complimented by an interactive data tool that allows users to reveal the potential economic impact of each scenario across 107 countries and at three levels of severity (major, severe and extreme).

How vulnerable is the economy to a major cyber-attack?

Cyber attacks pose a considerable threat to businesses. Year on year, costs around maintenance, prevention, and response to attacks are increasing. And with examples scattered across major news outlets, like the recent Zellis payroll attack, which affected a number of large British businesses, the world is waking up to the reality of what could be at stake if a global cyber attack were to play out.

Lloyd’s is committed to building resilience against major cyber risk. The systemic cyber scenario has been developed to help risk owners better understand the potential exposures at play and the role of insurance to protect against the evolving cyber risk landscape.

A cyber attack infiltrates major payment systems

Even a ‘run of the mill’ cyber attack has the potential to paralyse systems and stop the best-protected organisations in their tracks. The following scenario explores a hypothetical unprecedented cyber attack on major payment systems – revealing how quickly the effects could cascade across all sectors of the economy.

The attack consists of a number of simultaneous, highly sophisticated and persistent attacks against multiple financial services organisations.

The impacts deal a significant blow to confidence in financial institutions and in transactional relationships that underpin trade and international security.

Attackers plant malicious code in critical pieces of software used by the financial services industry to confirm transactions and verify payments during routine software updates. The update is sent to tens of thousands of partner and customer networks, infiltrating them at the same time.

• The attack creates a back door allowing hackers to initiate a major breach, meaning that customers cannot pay for goods and services; banks can’t clear payments; and inter-bank lending grinds to a halt.
• By scrambling the data now in their possession, hackers can divert funds to a network of accounts under their control. Lying undiscovered for months, it takes yet more time to repair the damage and discover further breaches.
• The attack is both expensive and limiting for the institutions involved, response teams get caught up in a game of cyber cat and mouse – distracting from their critical work and supporting customers.

Beyond the immediate costs, confidence in financial institutions is shaken; trade and customer relationships suffer; regulations tighten to prevent future breaches and long-term business costs increase to build system resilience.

The severity of events and measure of impact

The scenario explores three potential levels of severity, listed in the table below. Whilst these have been inspired by historical references, all three severity levels represent highly sophisticated and novel attacks which have never been seen.

While any cyber attack has the potential to be a major incident, a targeted attack will typically impact a business in one of three ways:

• to breach data (confidentiality)
• to compromise data accuracy and validity (integrity)
• to prevent access to services (availability)

Those that impact all three are the most damaging, which occurs in our ‘extreme’ scenario severity level. Compounding this, an attack on systemically important organisations or software could lead to secondary disruption cascading across multiple industries.

The most damaging, which occurs in ‘extreme’ scenario severity level

Using global Gross Domestic Product (GDP) as its central measurement, Lloyd’s and Cambridge model calculates the global economic loss of a global cyber-attack on a major financial services payment system as:

• $3.5trn is the global economic loss over a five-year period (the weighted average across the three severities we have modelled)
• The global economic loss ranges from £2.2trn in the lowest severity scenario up to $16trn in the most extreme scenario
• $140bn is the expected global economic loss (the sum-product of the five-year economic loss and the probability of the event occurring)

Regional economic loss figures from cyberattack

The scenario severities have been given a probability of occurring in the next five years, based on several risk factors.

In the cyber scenario, the probabilities for each severity are: Major 3.32% (1 in 30-year), Severe 0.50% (1 in 200-year), Extreme 0.12% (1 in 1,000 year).

The Lloyd’s market has access as access to write onshore insurance and reinsurance in over 100 countries and the systemic risk tool has been created to be reflective of the market’s global access.

Lloyd`s scenario considers the below (as well as some other non-listed attacks) as a precedent evidence base, but represents a significant escalation from any historic events:

• 2017, WannaCry: Following the release of several US NSA identified vulnerabilities seized by the hacktivist unit known as ‘Shadow Brokers’, a piece of malware affecting the EternalBlue exploit in all Windows operating systems supported at the time. The attack lasted only a few hours but affected more than 200,000 computers in more than 100 countries, leading to billions in damage. Major victims of the attack included the UK’s National Health Service which was running unpatched Windows software.
• 2017, NotPetya: Also utilising the EternalBlue vulnerability, NotPetya overwhelming affected systems in Ukraine and Russia, with global damages amounting to around $10 billion. Severely affected was the shipping giant Maersk, which lost contact with half the servers in its network. A power outage in a Nigerian office protected a copy of the company’s active directory and allowed crucial data to be recovered.
• 2022, Albania DDoS attack: A dedicated denial of service attack took place against Albanian government computer systems. Forensic analysis uncovered that disk-wiping malware was employed as well to extensively damage Albania’s digital infrastructure. Another attack occurred a few months later when Albania expelled the Iranian ambassador after the attacks were traced back to Iranian-sponsored cyber groups.

Physical cyber risk in a changing geopolitical landscape

The war in Ukraine is a stark reminder of how geopolitical risk can unfold, reshaping the risk landscape and revealing its truly interconnected nature. While cyber attackers can be state sponsored, aligned to central strategic prerogatives and used as asymmetric foreign policy tools, trends show a negative correlation between a state’s military activity and traceable coordinated cyber attacks.

The year 2022 can be characterized as one of the most challenging years in recent decades from the social, financial, political environment points of view, the word “crisis” characterizing better than ever a period of twelve months.

For example, we have seen cyber attacks by Russia elsewhere decrease after the invasion of Ukraine. Understandably, as states divert more resources for conventional military action, less emphasis is placed on state asymmetric strategies, like cyber attacks, targeted at other regions.

The modelled data in this scenario reflects this trend, with geopolitically motivated action slightly bringing down the overall probability of small cyber attacks. However, the probability of a large, extremely disruptive, global and indiscriminate cyber attack may increase if major powers that are engaged in a military conflict rapidly begin to lose the conventional fight.

…………

AUTHORS: The report has been produced by Lloyd’s Futureset and Cambridge Centre for Risk Studies