A major global cyber attack could cost the worldwide economy 40 billion, with the damage being akin to a catastrophic natural disaster, according to a report by Lloyd's of London.
As much as 34 billion of that total cost may not be covered by cyber insurance policies, as many companies are underinsuring their systems, according to the report, seen by Reuters.
It is estimated that a major hack of cloud service providers and global business systems would significantly dwarf the extensive damage caused by the WannaCry attack, which resulted in a cost of roughly 6 billion globally.
The report estimated the hit on the economy from such an event could land between $15 billion (11 billion) and $121 billion (93 billion) - a wide range that the authors blamed on a lack of historical precedence and quantifiable data, leaving the insurers with a challenge as they tried to accurately forecast the potential fallout of a widespread cyber attack. However, when they ran tests they found the sum could cost between 11 billion and 40 billion ($53 billion).
"Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event," said Lloyd's of London chief executive Inga Beale, speaking to Reuters.
As was the case with the WannaCry and NotPetya ransomware attacks this year, the real economic cost is likely to come from network downtime, supply chain disruption, and system repairs.
The report, which was co-written by risk analysis firm Cyence, found that the NotPetya ransomware, which spread from Ukraine to businesses around the world, caused $850 million worth of damage to the world economy.
In a modelling test, hackers were able to install malware in the systems of a cloud service provider, which would then lay dormant for a year before triggering. By that time, the malware could have easily spread among the provider's customers, including financial institutions and small businesses, the report claimed, resulting in widespread losses.
Average losses for a test that involved the hacking of operating systems were between 7.4 billion and 21 billion, according to the underwriter's report.
Insurance firm CFC Underwriting said last December that cyber insurance claims were exceeding one per day, up almost 78% on 2015. SMBs, with revenues below 50 million, were some of the worst affected, the company said, with almost half involving a data breach and financial loss of some kind.
Risk management firm Aon Plc found that companies around the world were deciding to forego taking out cyber insurance earlier this year, leaving them unable to deal with the effect of recent ransomware attacks. Nearly nine in 10 of the world's cyber insurance policies are held by US companies alone, Aon has stated.
