Cascading Risk: The Lloyds “Business Blackout” Report

In early July, Lloyds published “Business Blackout: The insurance implications of an cyber attack on the US power grid”, a study of the financial impact of a hypothetical electric grid failure scenario in the US. Developed jointly with the University of Cambridge Center for Risk Studies, it is an very important report not only for anyone concerned about cyber attacks on electric grids, but also for anyone interested in understanding the impact of cyber threats.












(image from Lloyd’s “Business Blackout” report)

The report describes “the hypothetical scenario of an electricity blackout that plunges 15 US states including New York City and Washington DC into darkness and leaves 93 million people without power.” The report goes on to say that this scenario, which the report calls the Erebos Cyber Blackout Scenario, “while improbable, is technologically possible and is assessed to be within the benchmark return period of 1:200 against which insurers must be resilient.” That is, the risk of such an attack, primarily as a result of its massive impact, requires insurers, in Lloyd’s view, to attempt to understand and quantify such a scenario, shown in the figure below from the report.










(image from Lloyd’s “Business Blackout” report)

The report does not attempt to compute the probability of this or other scenarios. Rather, it shows how the financial impact of such a scenario cascades across a broad range of domains: “The report is not a prediction and it is not aimed at highlighting particular vulnerabilities in critical national infrastructure. Rather, the scenario is designed to challenge assumptions of practitioners in the insurance industry and highlight issues that may need addressing in order to be better prepared for these types of events.” And challenge assumptions it does, especially assumptions regarding the potential impact of cyber attacks, the adequacy of existing information and models for understanding that impact, and the similarity of cyber attacks to natural disasters (from an insurer’s perspective).

For example, the scenario shows clearly that a major cyber attacks can have cascading effects that trigger much greater economic losses than just the power outage or electric infrastructure damage. It shows that both the magnitude and availability information required to understand cyber attack scenarios is a major challenge. And it clarifies key differences between a cyber attack and a natural disaster, especially the contrast between understanding natural disasters based on historical information (including deriving predictive models from that information) versus needing such tools attack modeling, shared threat intelligence and understanding of attacker motivations, resources and organizations.











(image from Lloyd’s “Business Blackout” report)

In our SPARKS project, we are doing significant work on deeper understanding of cyber attack scenarios and their impact on electric grids, using the EPRI NESCOR electric grid failure scenarios and impact analysis as a major resource. The Lloyd’s report is a very valuable addition to those and other resources that help us understand and respond to the cyber threats that we all face.