Analysis A study aiming to raise the profile of cyber insurance claims that cloud outages and ransomware outbreaks on the WannaCry scale could cost companies $81.7bn – more than natural disasters like 2012's Hurricane Sandy. That's an awful lot of money, but wait – before you fish out the wallet – how did the authors arrive at these numbers?
Cyence, a cyber-risk analytics platform, and Lloyd's of London, the world's largest insurance market, said they "collaborated with a team of economic modellers and experts from the cybersecurity and cyber insurance industries" in the hope that their findings will move the industry as a whole toward a "standardised approach of measuring cyber risk".
The research process accounted for everything from commonly adopted technologies used across industries to non-technical factors that vary widely like people and processes. Additionally, underwriters from the Lloyd's Market Association participated in a series of workshops to provide feedback and identify implications for the emerging cyber insurance industry.
Cyence reckons global losses from WannaCrypt will come out at $8bn compared to $850m from the NotPetya ransomware. Both outbreaks were enormously disruptive. However, Durex maker Reckitt Benckiser alone said it would take a $100m immediate hit from the combined effects of lost sales due to NotPetya and an Indian Sales tax.
Considering that NotPetya also affected shipping giant Maersk, advertising colossus WPP and US couriers FedEx, losses of $850m look low while the WannaCry figures appear inflated. "I don't think there were more than 1m computers infected so this would mean an average cost of more than $8,000 per infected PC," said Martijn Grooten, editor of industry journal Virus Bulletin. "Even with a long tail of a small number of infections that cost a lot, I find this figure rather implausible."
Two months ago Cyence reportedly pegged WannaCry losses at $4bn, an estimate that had doubled by the end of May. Confusingly, Cyence itself suggested NotPetya might be bigger than WannaCry in the immediate aftermath of the attack earlier this month.
Estimating cyber losses is an inexact science, as El Reg has said before. How can anyone assess the global cost of cyber disruption when even individual victims are unsure about losses? The best you are going to get is an educated guesstimate dressed up as something definitive. Some experts argue it would be better for individual companies to focus on their own risk assessment.
David Emm, principal security researcher at Kaspersky Lab, commented: "These are big numbers, but they don't mean much unless terms such as 'serious cyber attack' are quantified. How can we assess the global cost of an attack? It could mean anything from a temporary interruption of service to the takeover of customer systems – with very different costs.
"It's important for companies to conduct their own risk assessment and develop a strategy that's designed to secure corporate systems and mitigate the risk of an attack on those systems."
Cyence and Lloyd's said the report was "designed to deepen insurers' and risk managers' understanding of cyber risk exposure to improve portfolio exposure management, set appropriate limits and expand confidently into this quickly growing line of insurance". Go figure. Lloyd's estimates the global cyber risk market is worth between $3-3.5bn.
Protection against all threats is not a realistic goal so more clued-up businesses are adopting a risk-mitigation approach involving developing incident response capability as well as taking out cyber insurance.
The report ran the numbers on two devastating cyber calamities. In the first scenario, a group of "hacktivists" set out to disrupt cloud service providers' infrastructure to draw attention to the environmental impacts of cloud-based businesses. The group inserts a malicious modification to an infrastructure's code that can be exploited to trigger system-wide failures, leading to widespread service and business interruption. Cyence estimated global losses from such an event at $53bn in just two to three days.
In the second case, human error causes a zero-day vulnerability in widely used software to leak. Details are purchased on the dark web by criminals who develop exploits and target vulnerable businesses for financial gain. Cyence estimates losses from such an attack could work out at $28.7bn.
Only a small portion of these losses are currently insured, Cyence said. In the cloud services scenario, less than 20 per cent would be covered, while less than 10 per cent of the losses in the mass-vulnerability scenario would be covered. ®