A very small number of email service providers are offering their services to hundreds of thousands of organisations of all sizes in the UK and any prolonged downtime suffered by any of these email services because of cyber attacks could cost organisations billions of pounds in a matter of days.
This warning has been issued by predictive cyber risk modelling firm Kovrr which demonstrated in a detailed analysis that downtime suffered by popular email service providers could cost the UK heavily both in terms of economic losses as well as insured losses.
In its attempt at modelling a cyber catastrophe, Kovrr noted that the £12 trillion global economy is heavily reliant on over 290 billion email messages sent worldwide by over 150 million organisations every single day. That such a large number of emails are exchanged every day indicates that email today serves as the backbone of communications between sellers, buyers governments, and trading enterprises.
Global economy reliant on a few email service providers
While the fact that every single business entity is nowadays using email communications to communicate with others is great for quick and effective exchange of goods, services, invoices, and other information, what's worrying is that a very small number of email service providers are offering their services to millions of organisations. Principal among these providers are Microsoft, Google, and Rackspace.
Such being the case, Kovrr noted that if any of these email service providers were to suffer prolonged outage as a result of a cyber attack, it could pose a potentially disastrous risk to a large number of organisations resulting in a substantial financial impact. It could also result in critical data belonging to organisations being held hostage, altered or destroyed forever.
Using a predictive modelling platform, Kovrr demonstrated that if a large-scale DDoS attack using millions of hijacked IoT devices were targeted at a major email service provider, it could result in the provider's core services being unavailable to its client base, resulting in a cyber catastrophe.
Next cyber catastrophe could bankrupt cyber insurers
If the DDoS attack results in a three-day email service outage, all organisations that use the services of the affected provider could suffer combined financial losses of up to £35 billion. It could also result in a "ground up" loss of £3.87 billion and inflict losses of up to £2.57 billion on cyber insurers as well.
This estimation is very similar to the actual losses suffered by insurers as well as the entire UK economy during the global financial crisis that lasted over two years between 2007 and 2009. In that period, the average UK household lost 20 percent of its value and real estate transactions plunged as a result.
According to Kovrr, insurance companies suffered £3.8 billion in losses during the 2007 property crisis and it served as a watershed moment for the UK insurance industry with insurers taking a number of initiatives aimed at better managing property flood risk.
Similarly, cyber insurance firms should also take into account impending cyber catastrophes and should curate their cyber insurance products and take initiatives to accurately assess, quantify and stress test their potential catastrophic events exposure within their portfolios.
"Allowing the insurer to implement an underwriting and exposure management strategy based on a constant flow of real-time data rather than on top-down assumptions alone. Enhanced management of such accumulations will enable exposure managers and catastrophe modelers to improve underwriting accuracy and better manage potentially catastrophic events," the firm said.
"Understanding the adherence of the supervised carriers to regulatory requirements allows reinsurance and insurance companies to better communicate how they manage risk, by the stress tests conducted on their portfolios. This is especially true in regulatory environments such as the one in the UK where there are concerns about the potential effects of a cyber catastrophe that may lead to payouts in excess of a 1:250 years event," it added.
ALSO READ: Only a matter of time before the UK suffers a category one cyber-attack, says NCSC chief