Report estimates major cyberattack could cost more than recovering from natural disasters

Report estimates major cyberattack could cost more than recovering from natural disasters
© iStockphoto

The cost of a major cyberattack on a critical major U.S. utility or service provider could equate to that of a natural disaster such as a hurricane, a report released Monday found.

The report, put together by experts from the Foundation for Defense of Democracies (FDD) and insurance group Intangic, used a risk-rating system developed by Intangic to estimate the impact of two types of disruptive cyberattacks.

The findings estimated that a three-day cyber disruption of a managed service provider giving IT services to hundreds of customers across a variety of critical fields could lead to an economic loss of almost $80 billion, more than the $65 billion cost of Hurricane Sandy in 2012. 


The losses would be even higher with an attack on a critical utility, such as regional electric utility, with Intangic estimating that a breach causing disruption to power for five days would cost an estimated $193.5 billion, more than the cost of 2005’s Hurricane Katrina and the 2018 California wildfires. 

“Cyber vulnerabilities pose a systemic risk to the U.S. economy,” the report reads.

The report was released on the heels of mounting cyberattacks on critical organizations.

A ransomware attack in May on Colonial Pipeline, which provides 45 percent of the East Coast’s fuel supply, forced the company to shut down the pipeline for almost a week, leading to gasoline shortages. A ransomware attack shortly after on JBS USA, the nation’s largest provider of beef, also disrupted a key food supply chain.

The FBI attributed both attacks to likely Russian-based cyber criminal groups. While the FBI assessed that the groups are not Kremlin-backed, concerns around Russia harboring cyber criminals was a topic of conversation between President BidenJoe BidenGOP report on COVID-19 origins homes in on lab leak theory READ: The .2 trillion Infrastructure Investment and Jobs Act Senators introduce bipartisan infrastructure bill in rare Sunday session MORE and Russian President Vladimir PutinVladimir Vladimirovich PutinIs Ukraine Putin's Taiwan? Democrats find a tax Republicans can support Biden officials pledge to confront cybersecurity challenges head-on MORE at their recent in-person summit in Switzerland.


Attacks on hospitals, health care systems, schools and government agencies have also spiked during the COVID-19 pandemic in the U.S. and around the world. These include the SolarWinds hack, which allowed Russian hackers to compromise nine U.S. government agencies and 100 private sector groups for a year. 

“Successful cyberattacks and ransomware against nearly every sector of the U.S. economy demonstrates to policymakers that the market has failed on its own to convince the private sector of the necessity of a minimum level of cyber hygiene,” Mark Montgomery, the senior director of FDD’s Center on Cyber and Technology Innovation, said in a statement Monday. 

“This paper provides policymakers with data that makes clear that government action is needed to fix this market failure,” he added. 

The report calls on Congress to approve a national breach notification law to force companies to require companies hit by a cyberattack, regardless of whether customer data was impacted, to report the breach. 

Lawmakers are looking at doing just that. A draft bill from Senate Intelligence Committee Chairman Mark WarnerMark Robert WarnerSenators introduce bipartisan infrastructure bill in rare Sunday session Optimism grows that infrastructure deal will get to Biden's desk Senate infrastructure talks spill over into rare Sunday session MORE (D-Va.), Vice Chairman Marco RubioMarco Antonio RubioSenate holds sleepy Saturday session as negotiators finalize infrastructure deal Break glass in case of emergency — but not for climate change Democrats join GOP in pressuring Biden over China, virus origins MORE (R-Fla.) and Sen. Susan CollinsSusan Margaret CollinsSchumer: Democrats 'on track' to pass bipartisan deal, .5T budget Sunday shows - Delta variant, infrastructure dominate Collins says negotiators are 'just about finished' with infrastructure bill MORE (R-Maine) includes language requiring federal agencies, federal contractors, and owners and operators of critical infrastructure to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency.

Rubio told The Hill last week that the bill would likely be formally introduced “probably the first week” when the Senate returns from the July 4 recess.