Insurance giant Lloyd’s of London has warned that the global economy could lose $3.5 trillion as a result of a major cyberattack targeting payment systems.
The hypothetical scenario — modeled by the insurance marketplace alongside the Cambridge Centre for Risk Studies — is not considered likely. The researchers suggested it had roughly a 3.3% chance of happening, which it extended to a 1-in-30-year probability.
The British government has also previously conducted research into the likelihood of a cyberattack on the financial system and found a catastrophic incident unlikely. In its National Risk Register, the worst-case scenario of an attack on financial market infrastructure was modeled as an attack against a single network and was only considered to have a “remote chance” of occurring within a limited forecast period.
In the government’s scenario, the attack would have a significant impact on the financial system, including on the processing of financial transactions, potentially causing people to lose confidence in both the availability and integrity of financial data and the financial system as a whole.
In contrast, Lloyd’s incident would involve several separate hypothetical and unprecedented cyberattacks all taking place at once, impacting the multiple independent systems that comprise financial market infrastructure overseen by various organizations.
In its research scenario, Lloyd’s said: “Attackers plant malicious code in critical pieces of software used by the financial services industry to confirm transactions and verify payments during routine software updates. The update is sent to tens of thousands of partner and customer networks, infiltrating them at the same time.”
This then allows the attackers to create “a back door allowing hackers to initiate a major breach, meaning that customers cannot pay for goods and services; banks can’t clear payments; and inter-bank lending grinds to a halt.”
Despite having just established that banks cannot clear payments, Lloyd’s then warns: “By scrambling the data now in their possession, hackers can divert funds to a network of accounts under their control. Lying undiscovered for months, it takes yet more time to repair the damage and discover further breaches.”
The insurance giant then describes how response teams are so busy chasing down the attackers that they are distracted from other work, and that business is impacted by a drop in confidence in financial institutions and new regulations.
The research explores “hypothetical (but plausible)” scenarios, finding that on average such a global attack could lead to a $3.5 trillion drop in gross domestic product over a five-year period, with the United States the worst hit, followed by China and Japan.
As the company acknowledges, the kinds of effects its research describes “represent highly sophisticated and novel attacks which have never been seen.”