Global cyber attack could spur S$166b in losses: Lloyd’s

SINGAPORE — A major global cyber attack could trigger up to US$121 billion (S$166 billion) in economic losses, Lloyd’s of London said in a report yesterday, surpassing losses from a catastrophic natural disaster such as Hurricane Sandy.

Mr Kent Chaplin, chief executive of Lloyd’s Asia-Pacific, said the potential economic impact poses significant implications for businesses in Singapore, with a recent survey among companies here showing that 91 per cent of respondents are only in their early stages of security preparedness.

“Technology has opened the door to a world of opportunity for businesses of all shapes and sizes, but it has also connected and exposed them to potential threats. This report shows the impact a single cyber attack can have as it ripples through the economy, resulting in potential economic losses similar to some of the world’s worst natural catastrophes.”

Hurricane Sandy, which hit the United States in 2012, is estimated to have resulted in about US$50 billion in economic losses.

The report, which the insurance giant co-wrote with risk-modelling firm Cyence, examined potential economic losses from the hypothetical hacking of a cloud service provider and cyber attacks on computer operating systems run by businesses worldwide. Average losses caused by the cloud service attack range from US$4.6 billion to US$53 billion, but the figure could be as high as US$121 billion in an extreme scenario, the report said.

As much as US$45 billion of that sum may not be covered by cyber policies due to companies underinsuring, it added. The failure of an operating system run by a large number of computers and businesses around the world could cause losses ranging from US$9.7 billion to US$28.7 billion, the report said.

Insurers are struggling to estimate their potential exposure to cyber-related losses amid mounting cyber risks and interest in cyber insurance. A lack of historical data on which insurers can base assumptions is a key challenge.

“Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event,” Lloyd’s of London chief executive Inga Beale told Reuters.

Economic losses in the hypothetical cloud provider attack would dwarf the US$8 billion global cost of the WannaCry attack in May, which hit more than 100 countries, according to Cyence.

In Singapore, about 500 Internet Protocol addresses were affected by the WannaCry ransomware, which is malicious software that takes over a computer and prevents users from accessing data until a ransom is paid.

“Recent malware attacks only highlight the urgency for companies to mitigate against cyber risks. Asia is particularly vulnerable, given its dynamic digital transformation … The (Singapore) Government’s proposed Cyber Security Bill reinforces the need for policymakers and businesses to work hand-in-hand to safeguard against this growing threat,” said Mr Chaplin.

Last month, an attack of a virus dubbed “NotPetya” spread from Ukraine to businesses around the globe, encrypting data on infected machines and rendering them inoperable at ports, law firms and factories. No critical information infrastructure in Singapore was hit, but some businesses suffered disruptions as employees made alternative work arrangements — such as logging off from company servers and working remotely — as a precaution. “NotPetya” resulted in US$850 million in economic losses globally, Cyence said.

In the hypothetical cloud service attack in the Lloyd’s-Cyence scenario, hackers inserted malicious code into a cloud provider’s software designed to trigger system crashes among users a year later.

By then, the malware would have spread among the provider’s customers, from financial services companies to hotels, causing all to lose income and incur other expenses. WITH AGENCIES