Economic losses from cyber events have the potential to be as large as those caused by major hurricanes; yet less than 20% of losses are covered by insurance, according to Lloyd's in a report released yesterday which was co-written with risk modelling firm Cyence.
The study, using scenarios to quantify potential damages, looked at the hypothetical hacking of a cloud service provider and cyber attacks on computer operating systems run by businesses worldwide.
For the cloud service disruption scenario in the report, these losses range from $4.6 billion for a large event to $53.1 billion for an extreme event; in the mass software vulnerability scenario, the losses range from $9.7 billion for a large event to $28.7 billion for an extreme event.
Cyber attacks have the potential to trigger billions of dollars of insured losses. For example, in the cloud services scenario insured losses range from $620 million for a large loss to $8.1 billion for an extreme loss. For the mass software vulnerability scenario, the insured losses range from $762 million (large loss) to $2.1 billion (extreme loss).
The scenarios show there is an insurance gap of between $4 billion (large loss) and $45 billion (extreme loss) in terms of the cloud services scenario – meaning that between 13% and 17% of the losses are covered, respectively. The underinsurance gap is between $8.9 billion (large loss) and $26.6 billion (extreme loss) for the mass vulnerability scenario – meaning that just 7% of economic losses are covered.
The report, which is designed to increase insurers’ and risk managers’ understanding of cyber risk liability and aggregation, says that insurers could benefit from thinking about cyber cover in these terms and make explicit allowance for aggregating cyber related catastrophes. To achieve this, data collection and quality is important, especially as cyber risks are constantly changing. For the insurance industry to capitalise on the growing cyber market, insurers would benefit from a deeper understanding of the potential tail risk implicit in cyber coverage.