A cyber attack on the U.S. power grid in the Northeast would have far-reaching implications including the loss of lives, economic losses of as much as a trillion dollars, the disruption of water supplies and transportation, and potentially more than $70 billion in insurance clams, in addition to millions of citizens left without power.
In a new report, Business Blackout, Lloyd’s of London and the University of Cambridge’s Centre for Risk Studies examine the economic and insurance implications of a major cyber attack, using the U.S. power grid as an example.
The report depicts a scenario where hackers destabilize parts of the U.S. power grid, plunging 15 U.S. states and Washington D.C. into darkness and leaving 93 million people without power.
Experts predict this scenario would result in a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses.
The total impact to the U.S. economy is estimated at $243 billion, but economic losses could top $1 trillion in the most extreme version of the scenario.
Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain, according to the report.
The cyber attack scenario shows the broad range of insurance claims that could be triggered by disruption to the U.S. power grid, with total amount of claims paid by the insurance industry estimated at $21.4 billion, a figure that the report says could rise to $71.1 billion in the most extreme version of the scenario.
The report estimates that commercial property, energy and cyber insurance lines would suffer the most loses but predicts losses in many lines: cyber (standard data breaches advanced property); property insurance (including homeowners, personal contents, commercial and construction); casualty insurance (including workers’ compensation, directors and officers, errors and omissions, financial lines, healthcare liability and professional lines); marine and cargo insurance; aerospace; energy; specialty lines including accident and health, aquaculture, equine and surety; war and political risk (including kidnap and ransom and product recalls); agriculture (crop, livestock, forestry and agriculture); and life and health insurance.
At the same time, it estimates claims would decrease somewhat in both personal and commercial auto insurance.
In the scenario described in the report, a piece of malware infects electricity generation control rooms in parts of the Northeastern states. When triggered, it forces 50 generators to overload and burn out. This temporarily destabilizes the regional grid and causes some sustained outages. While power is restored to some areas within 24 hours, other parts of the region remain without electricity for a number of weeks.
“This scenario shows the huge impact and havoc that could result from a major cyber attack on the US. The reality is that the modern, digital, and interconnected world creates the conditions for significant damage, and we know there are hostile actors with the skills and desire to cause harm,” said Tom Bolt, director of performance management at Lloyd’s.
“As insurers, we need to think about these sorts of complex and interconnected risks and ensure that we provide innovative and comprehensive cyber insurance to protect businesses and governments. This type of insurance has the potential to be a valuable tool for enhancing the management of, and resilience to, cyber risk.”
Bolt said governments also have a role to play. “We need them to help share data, so we are able to accurately assess risk and protect businesses,” he said.
In his introduction to the report, Bolt said responding to these challenges will demand collaborations harnessing insurers’ multidisciplinary expertise. Insurers will need to enhance the quality of data available and to continue the development of probabilistic modelling for cyber risk, he said, which will require the sharing of cyber attack data and pooling of claims information.