Lloyds of London: Insure cyberattacks like natural disasters

Lloyds of London: Insure cyberattacks like natural disasters
© Greg Nash

Cybersecurity insurers have to become more prepared to treat global cyberattacks more like national disasters than traditional crimes, concludes a report from insurer Lloyd's of London.

In a report dated last week, the United Kingdom-based firm speculates about two hypothetical "cyber events" that could cause global damage cybersecurity insurance providers may not be prepared for. 


"In some other insurance classes insurers’ understanding of liability and risk aggregation is more developed. It is widely accepted, for example, that natural catastrophes can trigger multiple claims from multiple policyholders, dramatically increasing insurers’ claims costs," reads the report.  

"Natural catastrophe insurance policies usually take this into account and reinsurance is commonly used to reduce the impact of risk aggregation."

The report tabulates the potential damage caused by two types of attacks. In one, hackers disrupt cloud service providers. In a second, hackers get their hands on a vulnerability for an operating system used by 45 percent of the global market.

The latter example appears to be based on what happened in May with the WannaCry ransomware, which used vulnerabilities in Windows 7 and XP, operating systems that combine for approximately 45 percent market share. 

Lloyd's of London approximates that average cloud service events of varying severity range from $4.6 billion in total damages for a "large" attack to $53.1 billion for an "extreme" one. In the vulnerability example, the average costs range from $9.7 billion for a large event to $28.7 billion for an extreme one. 

The report notes that attacks fluctuate dramatically around that average — in the extreme cloud event that averaged $53.1 billion in damages, attacks might do as little as $15.6 billion or as much as $121.4 billion. 

Lloyd's notes that much of the damages would not be covered by insurance. Only around 15 percent of damages would be covered in the cloud example and 7 percent in the vulnerability example.