Lloyd’s of London estimates that by the midpoint of the present century, there will be some sort of a cyber attack on a major payments system that causes rippling global damage to the tune of trillions of dollars. The insurer has developed several scenarios of varying likelihood, ranging from $2 trillion to $16 trillion in total damage. That’s a frightening prospect when you realize that the current cyber insurance industry is sitting on no more than about $9 billion in total.
This particular set of scenarios sees one of the world’s commonly used payments systems infected by malware of some sort, which then spreads to tens of thousands of downstream clients. With insurance insufficient to cover the damage, particularly in today’s very tight market, what can organizations do to prepare for this eventuality?
Most damage from a payments system attack would happen in first year
Whatever damage done in this cyber attack scenario would mostly fall in the first year, with substantial costs continuing for about two years and complete recovery about five years after the fact. Given the present trajectory of the cyber insurance industry, organizations should anticipate that coverage will not handle most of the costs associated with a payments system breach.
Some relief might eventually come from a federal insurance plan for cybersecurity disasters considered to have potential to cripple the economy, something that has come under consideration since the Biden administration adopted its National Cybersecurity Strategy. There are no firm developments or timelines in that area just yet, however, leaving organizations to plan for mitigation themselves for at least the near future.
Security improvement is an obvious starting point, ranging from improved employee cyber hygiene to considering a zero trust environment. But that wouldn’t necessarily address other external costs if a payments system was rendered unsafe or unavailable for some time, such as business interruption and supply chain disruptions. Internal security, backups and alternate procurement sources are all factors in this particular cyber attack scenario.
How likely are the Lloyd’s cyber attack scenarios?
A scenario that foresees $3.5 trillion in damage after a payments system attack is put forward as the weighted average of these several different possible outcomes, and given a 1-in-30 chance of happening. The worst possible scenario foresaw $16 trillion in damage, but at just a 1-in-1,000 possibility of happening.
All of this is at least somewhat arbitrary, but the key takeaway is that Lloyd’s projects some sort of cyber attack of this nature clocking in at trillions of dollars of damage happening by somewhere between 2050 and 2055. One might take the cynical view and assume that it is a ploy to sell insurance, but Lloyd’s freely admits that it simply does not have anywhere near enough insurance to sell to cover this kind of damage and that is not going to change in the foreseeable future.
The theoretical cyber attack’s damage would be spread throughout the world, but “first world” advanced economies would bear most of it and those that are heavily reliant on e-commerce and services would be hit the hardest. The US would take nearly a third of the damage by itself in the weighted average scenario, and China and Japan would also be particularly hard-hit.