Proving the Business Case for the Internet of Things

Cyber attack on US power grid could cost $1 trillion, says Lloyd’s study

Steve Rogerson
July 28, 2015
A cyber attack on the US power grid could cost the country’s economy up to $1tn according to a study by insurance market Lloyd’s of London and the University of Cambridge’s Centre for Risk Studies.
Thereport – Business Blackout – examines the insurance implications of a major cyber attack, using the US power grid as an example.
It depicts a scenario where hackers shut down parts of the US power grid, plunging 15 US states and Washington DC into darkness and leaving 93 million people without power. Experts predict it would result in a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail; and chaos to transport networks as infrastructure collapses.
The total impact to the US economy is estimated at $243bn, rising to more than $1tn in the most extreme version of the scenario. The cyber attack scenario shows the broad range of claims that could be triggered by disruption to the US power grid, with total amount of claims paid by the insurance industry estimated at $21.4bn, rising to $71.1bn in the most extreme version.
“This scenario shows the huge impact and havoc that could result from a major cyber attack on the USA,” said Tom Bolt, director of performance management at Lloyd’s. “The reality is that the modern, digital and interconnected world creates the conditions for significant damage, and we know there are hostile actors with the skills and desire to cause harm. As insurers, we need to think about these sorts of complex and interconnected risks and ensure that we provide innovative and comprehensive cyber insurance to protect businesses and governments. This type of insurance has the potential to be a valuable tool for enhancing the management of, and resilience to, cyber risk.”
He said governments also had a role to play. “We need them to help share data, so we are able to accurately assess risk and protect businesses,” he said.
Lloyd’s has been working with the UK government and other insurers to develop London as a global centre for cyber risk management. The insurer produced this report to help underwriters operating in the Lloyd’s market identify these previously unconsidered cyber attack impacts on insurance and risk.
The situation described in the report is relevant to stress and scenario testing required under the Solvency II framework: although unlikely, it represents a class of events with a probability thought to be well within the benchmark return period of 1:200 years against which insurers must be resilient.
The insurer stressed this was not a prediction, rather an exploration of what might happen based on past events and scientific, social and economic theory. In a world of emerging risk, it said, it is not possible to achieve certainty regarding the nature and scale of threats faced by insurers – as such the insurance industry must be resilient to uncertainty.
President Obama raised the prospect of cyber attacks on the US power grid in his State of the Union address in February 2013 when he said: “America must also face the rapidly growing threat from cyber attacks. We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”