Leading insurer Lloyd’s of London has issued a dire warning about a potential cyber attack scenario on one of the world’s major payments systems, estimating that the global cost would total about $3.5 trillion and that much of the recovery cost would not be covered by insurance policies.
The Lloyd’s scenario imagines a successful malware attack on major transaction software that is commonly used, which then moves downstream to infect potentially tens of thousands of partner payment networks. The financial damage would be spread over a five-year period, with the United States bearing almost a third of the cost alone.
Lloyd’s cyber attack scenarios are low probability, but would cause mass chaos if successful
The estimate is meaningful as the Lloyd’s family of some 50 companies, 380 brokers and thousands of local coverholders collectively is responsible for about 20% of the global share of cyber premium.
For some cost comparison, the global cyber insurance market is estimated at about $7 billion to $9 billion at present, depending on the source, and is projected to grow to about $25 billion in the next two years. Lloyd’s most modest cost estimate in its payments system cyber attack scenarios is a $2.3 trillion global loss, spread out over a period of several years.
The $3.5 trillion loss scenario would play out over five years, with the US absorbing $1.1 trillion of that cost. China and Japan would be among the harder-hit countries, at $470 billion and $200 billion respectively. On average the world’s advanced economies would be looking at losses of around $100 billion, with those most reliant on the service economy and e-commerce being the hardest hit.
Lloyd’s does admit that the risk of a payments system “doomsday scenario” is relatively low, however. The $3.5 trillion projection is a weighted average of several different scenarios and considered the most plausible to consider as a real possibility, but carries only a 1-in-30 projected chance of actually happening each year. The worst possible scenario, a $16 trillion global loss, was given a 1-in-1000 chance of happening.
When talking about payments systems, the major credit cards such as Visa and Mastercard naturally spring to mind, along with Paypal and similar online processors. But this scenario could unfold with a cyber attack on big enough bank systems, such as Chase Paymentech, or large merchant services providers such as Fiserve. Malware could also potentially spread through widely-used and connected accounting software such as the Intuit family of products, or a commerce hardware and software developer such as ACI Worldwide. A takedown of a critical enough payment network could disrupt a huge range of industries and supply chain relationships, with added longer-term costs coming from reduced productivity and decreased consumer confidence.
Payments system infection would cause immediate, acute damage
Though there is not substantial immediate risk, Lloyd’s does project that some sort of widespread payments system malware scenario of this nature is likely to take place by 2050. The financial damage would be worst in the first year, followed by a recovery period going into the third year after the cyber attack and relatively minimal ongoing costs for about two years after that.
It’s impossible to project cyber insurance market developments three decades out, but the market is presently in the midst of a sustained contraction that is not expected to change direction for at least a couple of years. Some insurers are warning customers that there are types of cyber attacks that they should now consider uninsurable, and full coverage for attacks is increasingly hard to impossible to come by. This is particularly true of ransomware, something very likely to be involved in an attack on a payments system; some providers have simply started refusing to cover ransomware at all, and many others now refuse to cover payments and limit what types of cleanup costs and business interruption issues they take care of.
In recent months, the insurance industry and lawmakers have begun discussions about some sort of a federal backstop to ensure the economy does not become destabilized after particularly large and far-reaching attacks, such as the payments system hypothetical put forward by Lloyd’s. There is no clear path to this as of yet, but such a backstop might mirror similar existing programs that kick in during particularly bad natural disasters. The idea was put forward earlier in the year as a component of the Biden administration’s National Cybersecurity Strategy, but the plan at present only calls for “exploration” of the idea.
In the meantime, Lloyd’s offers some suggestions for organizations that struggle to (or simply cannot) obtain adequate cyber insurance coverage. These include a renewed focus on keeping up with software updates and patches, implementing a zero trust identity access framework, ensuring business continuity plans account for catastrophic disruptions to any payments systems used, getting behind legislation that requires early reporting of serious cyber attacks, and diversifying to multiple cloud backups.
Tom Kellermann, SVP of Cyber Strategy at Contrast Security, sums it up: “Systemic destructive cyberattacks would indeed create such a catastrophe. As we see geopolitical tension manifest in cyberspace, institutions must be vigilant and invest heavily in cybersecurity.”