A study from Lloyd’s of London said a cyber attack on U.S. cloud service providers could result in up to $3.5 billion in insured losses for the retail and wholesale trade sectors.
Specifically, a cyber incident that takes down a top-three cloud service provider in the U.S. for between three to six days would results in a loss of at least $1.4 billion for the retail and wholesale trade industry, and up to $3.5 billion.
The study concluded that organizations on average would face economic losses of up to $19 billion, with the overall manufacturing sector seeing direct economic losses of up to $8.9 billion. It also concluded that Fortune 1000 companies would carry 38 percent of economic losses and 46 percent of insured losses. The retail and wholesale sector, as well as the general manufacturing industry, are considered the top two areas that would be most affected by a cyber attack on a cloud service provider.
The study focused on e-business interruption costs that were modeled using data from the U.S. Census bureau. It included costs from e-commerce sales, e-shipments, m-commerce sales and electronic order management systems. The results were based on the top 15 cloud providers in the U.S., which the report said accounted for a 70 percent market share.
The study considered four key areas of threat sources: Structural, such as failure of file servers, networking devices or loss of power; accidental, such as human errors; adversarial, such as intentional stoppage by a malicious insider or denial of service attacks, and environmental, such as flooding, lightning strikes and bombing of data centers by terrorists or some other intentional destruction, such as of power grids that serve a data center. Further, the scenarios used to assess recovery time presume that the service provider goes down in its entirety in all regions. Moreover, the recovery schedule assumes the requisite time to diagnose the cause, come up with a mitigation plan, and then execute the plan.
The conclusions from the study also noted that companies are shifting from a “build” to a “consumer” paradigm for the information technology needs, a factor that has been a driver of the increasing adoption of cloud computing services. It noted at McKinsey & Co. report from 2015 noting that 77 percent of companies used traditionally built IT infrastructure, with computers and servers set up on the premises, although the Lloyd’s of London study expects that percentage to drop to 43 percent in 2018.
Lloyd’s conducted the study in partnership with AIR Worldwide, with the goal of initiating discussions on how to create an insurance sector that better addresses systemic cyber risk.