Lloyd’s Insurance and Cyence have jointly produced Counting the cost: Cyber exposure decoded, a report designed to help insurance companies properly assess risks to big business in the ever-changing technological landscape.
While digitisation is revolutionising business models, it is also making the global economy more vulnerable to cyber-attacks. As a result, the economic and insurance consequences of cyber-crime are worsening. In 2016, cyber-attacks were estimated to cost businesses as much as $450 billion a year globally.
The report analyses six trends that contribute to digital vulnerability in the business community. These trends are:
1. Volume of contributors
The number of people developing software has steadily grown over the past three decades; each contributor could potentially add vulnerability to the system unintentionally through human error.
2. Volume of software
The amount of software in existence is constantly increasing. More code means the potential for more errors and therefore greater vulnerability.
3. Open source software
The open-source movement has led to some great innovations. However, many open-source libraries are uploaded online, and have not necessarily all been reviewed in terms of their functionality and security. Any errors in the primary code could then be copied unwittingly into subsequent iterations.
4. Old software
The longer software is being widely used, the more time malicious actors have to find and exploit vulnerabilities. Many individuals and companies run obsolete software, even though more secure alternatives are available.
5. Multi-layered software
New software is typically built on top of prior software code. This makes software testing and correction very difficult.
6. “Generated” software
Code can be produced through automated processes that can be modified for malicious intent.
These trends help us to understand the growing vulnerabilities in the system. The report then uses two specific scenarios to quantify the wide variety of damages that can occur as a result of two different cyber events.
Scenario 1: Cloud service provider hack
A sophisticated group of “hacktivists” sets out to disrupt cloud-service providers and their customers to draw attention to the environmental impacts of business and the modern economy. With a malicious modification to software that controls the cloud infrastructure, many cloud-based customer servers fail, leading to widespread service and business interruption.
Scenario 2: Mass vulnerability attack
A hard copy of a report on a vulnerability that affects all versions of an operating system run by 45% of the global market is accidentally released, and makes its way to the dark web, where it is purchased by an undetermined number of unidentified criminal parties. They develop system exploits and begin attacking vulnerable businesses for financial gain.
This could be pretty scary stuff, if they weren’t just scenarios. Nevertheless, they paint a realistic picture of potential catastrophe. In fact, the report’s findings suggest economic losses from cyber events have the potential to be as large as those caused by major hurricanes.
The scenarios show there is an insurance gap of up to $45 billion in terms of the cloud services scenario – meaning that only up to 17% of the losses are covered.
The underinsurance gap is up to $26 billion for the mass vulnerability scenario, meaning that just 7% of economic losses are covered.
Compare these figures to the world’s ten costliest natural catastrophes by insured losses, which saw an average of 30% covered by insurance. Obviously there is work to be done in this area.
Risk managers could use the two scenarios to see what impacts cyber-attacks could have on their core business processes, and then plan what actions they could take to mitigate these risks.
Want to see how the two scenarios pan out? Sorry, no spoilers here. If you want to read the full report, you can download it here.