A major international cyber attack could cause an average of $53 billion (£40 billion) of economic damage, according to new research from Lloyd’s of London.
The report, which looked at the potential consequences of attacks on cloud service providers and operating systems, compared the fallout to that of a natural disaster.
The costs factored in included money spent repairing the affected computers as well as money lost due to the disruption a cyber attack causes to business processes, Reuters reported.
The total figure could range between $4.6 billion (£3.5 billion) and $121 billion (£93 billion) depending on the severity of an attack, the report’s authors calculated.
They said that up to $45 billion (£34 billion) of the damage caused by a severe attack may not be covered by firms’ cyber insurance policies as they are under-insured.
Lloyd’s recently published another report that suggested businesses are underestimating the threat posed by cyber crime and the potential damage of breaches.
It said that while 92 per cent of firms had experienced some kind of breach in the last five years, only 42 per cent were worried that it could happen again in future.
The report’s authors said businesses need to be aware of the “slow burn” costs of a cyber security incident, which can “dramatically increase” the final bill over time.
They noted that this will be exacerbated in coming years with the introduction of new rules and penalties under the European Union’s General Data Protection Regulation and cyber breach victims’ increasing willingness to sue organisations that have lost their data.
“Cyber risk has moved up in the business agenda and businesses are taking measures to prepare themselves,” said Matthew Martindale, a cyber security practice director at KPMG. “However, they are failing to factor in the long-term damage that a breach can cause and the cost implications of it.
“Dealing with things like reputational issues and litigation in the aftermath of a breach can add substantial costs to the overall loss. Businesses really need to start thinking about the cyber risk holistically rather than one that is currently very short-sighted.”