Could losses of $53 billion, or even more, really result from a cyber attack?

We’ve long used the analogy of illness when it comes to computer viruses, but we may have been reaching for the wrong metaphor: Perhaps we should be looking at storms and hurricanes.

A recent Lloyd’s report notes that a big data breach could cost more than major natural catastrophes such as Hurricane Sandy, which decimated the East coast of the United States in 2012. In all, losses for an “extreme event” could add up to as high as high as $121.4 billion (or as low as $15.6 billion), according to the Lloyd’s report, with the average projection of $53 billion.

Hurricane Sandy is estimated to have cost $50 billion.

The chink in the Cloud

Such figures seem implausibly precise (with the potential losses apparently given with a 95% confidence range), but are they implausibly large?

On the one hand, any IT-related loss that cost more than the GDP of many countries would certainly be an extreme event by any definition. It would take a particular type of attack to start to rack up those sorts of losses.

The report reflects this, though. It puts more modest – but still massive – numbers on potential losses for different types of attack: just (if that’s the right word) $28.7 billion for a mass software vulnerability in an extreme scenario, for example. That’s still very large (bear in mind the Heartbleed vulnerability is estimated to have cost $500 million); but it’s much less than $121 billion.

Instead, that top-end figure is reserved for a cloud service disruption. As the report notes, that’s a market that has seen widespread adoption (with McAfee estimating that 93% of organisations use Cloud services in some form). It’s also one that’s heavily concentrated in the hands of a few big players: Amazon has an astonishing 31% market share of cloud infrastructure services; Microsoft accounts for another 11% of the market.

A crippling attack – one that took perhaps two to three days to resolve – on one of these players would rapidly rack up losses across the Cloud service providers, the Cloud service’s customers, their customers and everyone else reliant on the Cloud.

The cost of connectivity

This extreme scenario remains theoretical, but recent attacks have provided ample evidence of how attacks and vulnerability can spread rapidly. The Wannacry ransomware (not specifically targeting the Cloud) quickly spread across the globe, affecting the NHS, along with other victims. Petya could cost ten times more.

Lloyd’s has also warned that it’s the “slow burn” costs that can ultimately prove the most damaging. “The reputational fallout from a cyber breach is what kills modern businesses,” as its chief executive Inga Beale put it.

Consider the impact on couriers TNT Express, for instance – still affected by NotPetya a month after it was struck. Some of its data loss is permanent, it has conceded.

It’s this mix of the debilitating nature of some modern attacks and the interconnectivity of systems so that the effects ripple out ever wider that makes Lloyd’s scenario plausible.

Unrealistically precise? Possibly. But are Lloyd’s estimates implausibly large? Unfortunately, they’re only too believable.