In the event of a massive cyberattack, the global economy could suffer a huge loss of $121 billion, which would be on par with costs incurred by devastating natural disasters such as hurricanes Katrina and Sandy, renowned insurance market Lloyd's of London said in a report on Monday.
Co-written with risk-modelling firm Cyence, the report examines the hypothetical losses from hacking of a cloud service provider combined with an attack on computer operating systems used by businesses across the world.
Lloyd's chief executive Inga Beale said the report gave a "real sense of the scale of damage a cyber-attack could cause the global economy".
Lloyd's estimated that the uninsured gap could be as high as $45bn for the cloud services scenario and $26bn for the vulnerability scenario, with the vast majority of economic losses not covered by insurance. "While digitisation is revolutionising business models and transforming daily lives, it is also making the global economy more vulnerable to cyber-attacks".
The insurance market has formed a partnership with Cyence, a firm specialising in analysing the economic impact of cyber risks, to urge companies and its own underwriting members to focus more on their potential losses.
However, Lloyd's said that the economic losses could be much lower or higher than the average in the scenarios because of the uncertainty around cyber-aggregation. Reuters notes most companies lack information frameworks they can rely on to assess their clients' risk profiles and make base assumptions, a significant problem for an industry which thrives on data.
"NotPetya" caused $850 million in economic costs, Cyence said.
The report's hypothetical cloud service provider attack involves hackers injecting malicious code created to trigger system crashes among victim systems a year later. The code spreads to its customers all over the world, including financial services companies, hotels, and other businesses.
The findings also reveal that, while demand for cyber insurance is increasing, the majority of these losses are not now insured, leaving an insurance gap of tens of billions of dollars.
The report's authors said businesses need to be aware of the "slow burn" costs of a cyber security incident, which can "dramatically increase" the final bill over time.
Lloyds has about one-quarter of the emerging area of cyber insurance and says risks are more hard to model than natural disasters due to the human element, which means underlying assumptions can change quickly.