CybersecurityDowntime of a top cloud service provider could cost U.S. economy $15 billion

Businesses in the United States could lose $15 billion if a leading cloud service provider would experience a downtime of at least three days.

Lloyd’s, in partnership with the risk modeler, AIR Worldwide, on Tuesday released a new report, Cloud Down: The impacts on the U.S. economy, which analyzes the financial impact of the failure of a leading cloud provider in the United States.

The report analyzes losses for 12.4 million U.S. organizations and proposes an alternative approach to help insurers model these risks, which are typically harder to assess than other perils like natural disasters due to the complex and highly interconnected nature of the digital world.

Lloyd’s says that the report found that companies outside of the Fortune 1000 – which are more likely to use cloud provider services – would carry a larger share of the economic and insurance losses than Fortune 1000 companies. However, the biggest 1000 companies in the US would still carry 38 percent of economic losses.

Key report findings include:

· An extreme cyber incident that takes a top cloud provider offline in the United States for 3 to 6 days would result in economic losses of $15 billion and up to $3 billion in insured losses.

· Businesses outside the Fortune 1000 would carry 63 percent share of economic losses and 57 percent of insured losses – indicating that they are at the highest risk.

· Fortune 1000 companies would carry 37 percent of economic losses and 43 percent of insured losses.

· Like any model result, these figures have uncertainty and AIR estimate a 95 percent confidence interval of $11 – $19 billion around the central estimate of $15 billion.

· If a top cloud provider went down:

- Manufacturing would see direct economic losses of $8.6 billion;
- Wholesale and retail trade sectors would see economic losses of $3.6 billion;
- Information sectors would see economic losses of $847 million;
- Finance and insurance sectors would see economic losses of $447 million;
- Transportation and warehousing sectors would see economic losses of $439 million.

Trevor Maynard, Head of Innovation at Lloyd’s, said: “This report provides a detailed picture of the costs to the U.S. economy as a result of a cloud service provider failure. Clouds can fail or be brought down in many ways – ranging from malicious attacks by terrorists to lighting strikes, flooding or simply a mundane error by an employee. Whatever the cause, it is important for businesses to quantify the risks they are exposed to as failure to do so will not only lead to financial losses but also potentially loss of  customers and reputation.”

Lloyd’s notes that its previous research with KPMG and DAC Beachcroft has shown that services firms are particularly vulnerable to the reputational impacts of a cyberattack where service disruption can have an immediate effect on clients, leading to customer churn, loss of competitive advantage and loss of revenue.”

Scott Stransky, assistant vice president and principal scientist at AIR Worldwide, added: “A major cloud failure would significantly impact the insurance industry, and our research has shown that such an event is plausible. The findings from this report show that while the cyber insurance industry is growing, there’s still a significant gap in cyber coverage. We hope the report will help raise awareness across the industry as to how significant losses could be, how likely they are, and provide an opportunity for insurers to better understand and manage cyber risk. With proper models such as AIR’s, the industry will be able to grow the market by confidently writing more cyber policies. The goal is to make insurers and all organizations that rely upon cyber insurance more resilient if the cloud does go down.”

— Read more in Cloud down: Discover the impact of a major cloud outage on the U.S. economy (Lloyd’s, 23 January 2018); see also:Counting the cost:Cyber exposure decoded. Introducing two scenarios to help insurers quantify cyber-risk aggregation (Lloyd’s, 10 July 2017); and Business Blackout (Lloyd’s, 6 July 2015)