Lloyd’s of London finds hypothetical cyberattack could cost world economy $3.5 trillion

Insurance giant Lloyd’s of London has warned that the global economy could lose $3.5 trillion as a result of a major cyberattack targeting payment systems.

The hypothetical scenario — modeled by the insurance marketplace alongside the Cambridge Centre for Risk Studies — is not considered likely. The researchers suggested it had roughly a 3.3% chance of happening, which it extended to a 1-in-30-year probability.

The British government has also previously conducted research into the likelihood of a cyberattack on the financial system and found a catastrophic incident unlikely. In its National Risk Register, the worst-case scenario of an attack on financial market infrastructure was modeled as an attack against a single network and was only considered to have a “remote chance” of occurring within a limited forecast period.

In the government’s scenario, the attack would have a significant impact on the financial system, including on the processing of financial transactions, potentially causing people to lose confidence in both the availability and integrity of financial data and the financial system as a whole.

In contrast, Lloyd’s incident would involve several separate hypothetical and unprecedented cyberattacks all taking place at once, impacting the multiple independent systems that comprise financial market infrastructure overseen by various organizations.

In its research scenario, Lloyd’s said: “Attackers plant malicious code in critical pieces of software used by the financial services industry to confirm transactions and verify payments during routine software updates. The update is sent to tens of thousands of partner and customer networks, infiltrating them at the same time.”

This then allows the attackers to create “a back door allowing hackers to initiate a major breach, meaning that customers cannot pay for goods and services; banks can’t clear payments; and inter-bank lending grinds to a halt.”

Despite having just established that banks cannot clear payments, Lloyd’s then warns: “By scrambling the data now in their possession, hackers can divert funds to a network of accounts under their control. Lying undiscovered for months, it takes yet more time to repair the damage and discover further breaches.”

The insurance giant then describes how response teams are so busy chasing down the attackers that they are distracted from other work, and that business is impacted by a drop in confidence in financial institutions and new regulations.

The research explores “hypothetical (but plausible)” scenarios, finding that on average such a global attack could lead to a $3.5 trillion drop in gross domestic product over a five-year period, with the United States the worst hit, followed by China and Japan.

As the company acknowledges, the kinds of effects its research describes “represent highly sophisticated and novel attacks which have never been seen.”

Bruce Carnegie-Brown, Lloyd’s chairman, said: “We are committed to building resilience around systemic risk and the risk scenario released today highlights the important role of insurance in supporting and protecting customers against the potential threat cyber poses to businesses and society.

“The global interconnectedness of cyber means it is too substantial a risk for one sector to face alone and therefore we must continue to share knowledge, expertise and innovative ideas across government, industry and the insurance market to ensure we build society’s resilience against the potential scale of this risk.”

The cyber insurance market was upended in 2017 following the wildfire of the NotPetya attack initially targeting Ukraine — when much of the market began to worry about whether the war exclusions in their policies were fit for purpose.

Mondelez International and Zurich American Insurance reached a settlement last year in their multi-year legal battle over the food company’s $100 million claim regarding damage from that attack. Similar claims are ongoing.

In the wake of this, Lloyd’s led a controversial effort to revamp those exclusions for a solution that balanced the needs of customers and the insurance market. In March, it warned that these updated exclusions could hit its profits.