Predicting the likelihood of your house being broken into or the cost of damage to your car can be given with a fair amount of accuracy. Insurers, for example, will access past event data and police crime statistics.
Cyber risk, however, bears no geographic boundaries and is so globally interwoven that predicting where, when, and how much an event would cost is extremely difficult.
This was the challenge of a study, "Counting the Cost", commissioned by Lloyds of London (LoL) insurance and Cyence, a risk modelling and cyber security firm. It describes the likely causes of a large scale cyber event, the direct economic costs, and the level of insurance companies buy.
The primary purpose of the report was to provide LoL Underwriters, an institution that wrote £34 bln of premiums last year, with an assessment of their cumulative risk exposures. However, the report also provides a useful insight for businesses of all kinds including Manufacturers, Retailers and Technology Providers.
Outcome of the study
The extreme case scenario puts a cost of a cyber event at between US$53 bln and US$121 bln, exceeding the direct costs incurred from ‘9/11’. It poses the question as to who bears the cost if insurance policies cover just 7% to 17% of the direct losses.
The exercise mapped out two scenarios:
- A denial of service attack via the Cloud Service Providers
- A systemic software coding error, leading to hacking and consequential data breaches.
The calculations included losses such as:
- restoration of software and data
- investigation costs
- notification and credit monitoring
- claims from customers
- revenue shortfall
Not included within these calculations were long term reputational damage or a drop in share price.
The report cited interdependency within the supply chain has a significant influence of the cost of a global event.
Bearing the cost
The UK Government deserves much credit for its contribution and significant investments into improving awareness and introducing minimum risk management standards for cyber risk.
Notwithstanding, if businesses are not transferring their risks to insurance, then how might they pay for a catastrophic loss? Could a widespread event lead to a tax payer bailout, similar to what we saw during the 2008 financial crisis?
This is an issue being discussed at the highest levels between Government, business, and the insurance industry. Although this study helps to quantify cyber risk, it does not present the consequences of long-term reputational harm or share price fall. The problem also goes to the heart of an interconnected world that ultimately needs global cooperation towards cyber security standards and good quality insurance cover.
Categories: Commercial Insurance