Home Publications + MediaContingenciesMarch/April 2026 The Economic Impact of Extreme...
Breadcrumbs
Home Publications + MediaContingenciesMarch/April 2026 The Economic Impact of Extreme...
Feature

The Economic Impact of Extreme Cyber Risks

The Economic Impact of Extreme Cyber Risks

By Martin Eling

From ransomware outbreaks to multisector IT failures, the framework outlined in the article estimates potential losses from extreme cyber events and shows why insurers, risk managers, and policymakers must act before these disruptions set off a chain reaction across the economy.

On the morning of May 12, 2017, doctors and nurses in the United Kingdom’s National Health Service turned on their computers to find an ominous red screen: Your files have been encrypted. Pay $300 in bitcoin to recover them. Across 150 countries, the same ransomware—WannaCry—was spreading like digital wildfire, crippling hospitals, banks, transport providers, and other companies across the world. Within hours, surgeries were canceled, trains were delayed, and entire organizations were forced offline.

The total bill for WannaCry was estimated at around $8 billion, according to a 2019 Harvard Business Review article “Sizing Up Your Cyberrisks”—and it could have been far worse. Imagine if the ransomware had spread just a bit faster or hit a broader range of systems. What if it had struck not just few organizations, but the core infrastructure of multiple sectors at once?

That is the uncomfortable question at the heart of our research. Cyberattacks are no longer rare, isolated events—they are an ongoing feature of our interconnected economy. But while we have plenty of headlines about data breaches and ransomware, we have far less reliable information on the potential economic damage of truly extreme cyber incidents—and even less on how those losses might compare across different types of scenarios.

Why This Matters for Actuaries

Model systemic exposure: Cyber events can cascade across sectors, making it essential to capture interdependencies rather than treating risks in isolation.

Account for uncertainty: Loss estimates can vary tenfold depending on assumptions about recovery and disruption—highlighting the importance of sensitivity testing.

Shape resilience strategies: By stress-testing scenarios and informing capital requirements to portfolios and capital models, actuaries can guide insurers and policymakers in preparing for systemic shocks.

This matters because if we don’t have a realistic picture of the potential fallout, it’s hard for risk managers, insurers, and policymakers to decide how much to invest in prevention, how much to transfer through insurance, and when—if ever—governments should step in with financial backstops.

That’s why we developed a standardized framework for estimating the economic impact of a range of cyber risk scenarios. Using a modeling approach borrowed from disaster economics, we calculated potential losses for six widely discussed extreme cyber events—and, importantly, made them comparable. The results offer both a dose of perspective and a call to action: While the modeled losses are large, they are generally within the realm of insurability. But the uncertainty is significant, and the clock is ticking.

The following article relates to the paper, The Economic Impact of Extreme Cyber Risk Scenarios,
that I co-authored with Mauro Elvedi and Greg Falco. It was originally published in 2023 in the North American Actuarial Journal. The structure follows the logic of the original paper: beginning with motivation and context, describing the modeling framework, introducing the selected scenarios, presenting the results, and discussing their implications for insurers, risk managers, and policymakers.

The Cyber Threat Landscape

Today’s economy is a finely tuned machine—and it runs on digital fuel. From industrial control systems that manage power grids to cloud platforms that store business data, nearly every sector now depends on a network of interconnected technologies. This brings efficiencies and opportunities, but it also creates what we call accumulation risk: the chance that a single point of failure could trigger losses across multiple sectors simultaneously.

Monocultures make us vulnerable. When large numbers of organizations use the same operating systems, software packages, or cloud providers, they create a “monoculture” in the digital ecosystem. If a vulnerability is found in that shared technology, an attacker can exploit it to impact thousands—even millions—of users at once. This is what made the 2017 WannaCry attack so potent: It exploited a Windows vulnerability present in countless systems worldwide.

Another factor reshaping the threat environment is the rapid adoption of artificial intelligence (AI), smart devices, and 5G connectivity. While these technologies create efficiencies, they also expand the attack surface. A flaw in a widely used internet-connected sensor or a compromised AI algorithm could impact millions of users simultaneously. Combined with geopolitical tensions, where cyberattacks are increasingly used as tools of statecraft, the threat landscape is becoming both broader and more unpredictable.

Historical data aren’t enough. In traditional insurance modeling, analysts often look to past loss events as a guide to the future. But cyber risk is different. Attack tools evolve quickly, threat actors change tactics, and new vulnerabilities emerge constantly. Historical data are sparse—and in some cases deliberately hidden, as victims may be reluctant to disclose incidents. That makes it nearly impossible to estimate extreme loss potential solely from past events.

Faced with these challenges, many industry studies have turned to scenario analysis—a structured way of imagining plausible future events and estimating their consequences. But here’s the problem: Most existing scenarios are difficult to compare. They differ in methodology, assumptions, and the scope of what’s included. Without a consistent framework, it’s like comparing apples to oranges—or, more accurately, like comparing apples to a basket of fruit salad. Our goal was to change that.

Building a Standardized Scenario Framework

To make sense of extreme cyber risk, we needed a model that could handle two things at once:

  1. Direct impacts on the sectors that are hit first.
  2. Ripple effects that spread through the economy as those sectors struggle to recover.

We turned to a tool known as the dynamic inoperability input-output model as described by authors Yacov Y. Haimes and Pu Jiang in their article, “Leontief-Based Model of Risk in Complex Interconnected Infrastructures.” Originally developed for analyzing the economic consequences of natural disasters and infrastructure disruptions, it works a bit like a set of interconnected water pipes: If one pipe is damaged, the flow to others is reduced, and the effects ripple through the whole system.

In our case, the “pipes” are economic sectors and the “water” is their output. If a cyberattack knocks a sector partially offline—say, the telecommunications industry—the model tracks how that reduced capacity affects all the sectors that depend on it. It also factors in recovery time, because some sectors bounce back quickly, while others take weeks or months to restore full operations.

Why does this matter? By applying the same methodology to multiple scenarios, we can directly compare their estimated economic losses. This is something that’s been missing from most industry analyses, where each scenario is modeled in isolation.

Another strength of this approach is its ability to run “what-if” sensitivity tests. By adjusting variables such as the initial inoperability rate, the pace of recovery, or the interdependence between sectors, we can explore a range of plausible loss outcomes and identify which assumptions have the greatest influence on the final numbers. This is particularly important for cyber risk, where uncertainty is high and the threat landscape changes rapidly. In practice, this means our framework is not just a one-time estimate, but a living tool that can be updated as new vulnerabilities, technologies, or attack vectors emerge. It also allows decision-makers to stress-test their preparedness plans under more and less favorable recovery conditions—a critical step in translating scenario results into actionable resilience strategies.

For example, if telecommunications capacity were reduced by 40% for two weeks, our model could trace the cascading impact on retail sales, financial transactions, and even health care delivery. This kind of detailed stress test highlights why conventional actuarial models, which often assume independence across risks, are ill-suited for systemic cyber events.

The Six Extreme Cyber Scenarios

We selected six scenarios from widely cited industry and academic studies. Together, they cover a broad range of attack types, targets, and potential impacts (see also Table 1):

1. Extortion of Industrial Control Systems

  • Attackers take over supervisory control and data acquisition (SCADA) systems used in manufacturing, energy, and transportation.
  • Initial disruption: partial shutdown of critical operations.
  • Estimated U.S. loss: $11.6 billion to $34.8 billion.

2. Cloud Service Provider Failure

  • A major cloud provider suffers a prolonged outage, affecting thousands of businesses that rely on its services.
  • Estimated U.S. loss: $0.54 billion to $1.26 billion.
  • Lower than others because recovery can be relatively quick—but high potential for disruption given the growing reliance on cloud.

3. Cyberattack on the Health Sector and Hospitals

  • Hospitals lose access to patient records, diagnostic systems, and scheduling software.
  • Recovery takes two to three weeks.
  • Estimated U.S. loss: $6.2 billion to $62.1 billion (largest range due to uncertainty in recovery speed).

4. Compromise of Municipal Services

  • City government systems—from emergency response to public utilities billing—are disabled.
  • Estimated U.S. loss: $23.3 billion.

5. Telecommunications Impairment

  • A cyberattack cripples major internet backbone providers.
  • Recovery takes about a week.
  • Estimated U.S. loss: $1.5 billion.

6. Strategic Cross-Sector IT Failure

  • A coordinated attack disrupts multiple critical sectors at once (energy, manufacturing, finance, etc.).
  • Estimated U.S. loss: $24.2 billion to $47.1 billion.

These numbers may sound large—and they are—but here’s an important perspective: even the largest modeled loss, $62 billion, is just 0.3% of U.S. GDP. For comparison, the 2011 Japanese tsunami caused an estimated $210 billion in damage, and Hurricane Katrina in 2005 cost around $125 billion. Those events were covered (at least in part) by the insurance and reinsurance industries.

While each scenario is distinct in its technical execution and initial point of impact, they all share one crucial feature: the ability to cascade far beyond their original targets. In practice, an outage in one sector can rapidly affect others through a web of dependencies—for example, a telecommunications failure can stall payment systems, which in turn disrupts retail and supply chains. This interconnectedness means that the economic toll is often magnified not only by the breadth of the initial attack but also by the vulnerability of downstream sectors. By framing the scenarios in both narrative and quantitative terms, we aim to highlight the human and operational realities behind the numbers, making the risks tangible for decision-makers.

What the Model Reveals

  1. Losses are within the realm of insurability. Even in worst-case cyber scenarios, the modeled losses are of a size that the insurance and reinsurance markets have handled for other catastrophes. That’s encouraging—it means coverage for extreme cyber events is possible in principle.
  2. Uncertainty is high. For some scenarios, like the hospital attack, our estimates vary by more than a factor of 10 depending on assumptions about recovery time and inoperability. That makes precise pricing and risk transfer challenging.
  3. Qualitative context matters. Numbers alone don’t tell the full story. The affected sector, the nature of the disruption, and the degree of interdependence all influence how the losses ripple out. That’s why we pair the quantitative analysis with a qualitative scenario framework.

Implications for Insurers, Risk Managers, and Policymakers

For insurers and reinsurers, this framework provides a starting point for:

  • Designing products that cover systemic cyber risks.
  • Stress testing portfolios for potential accumulation losses.
  • Setting capital requirements that reflect correlated exposures.

For corporate risk managers, the message is: Identify which extreme scenarios are most relevant to your operations, and plan accordingly. That could mean investing in redundancy for critical systems, diversifying technology providers, or increasing cyber insurance limits. For policymakers, the results can help decide when public-private partnerships or backstop mechanisms might be warranted—for example, in scenarios where the potential for widespread societal disruption is high.

Academy Resources on Cyber Risk

  • Read An Overview of the Global Cyber (Re)Insurance Market and Personal Cyber: An Intro to Risk Reduction and Mitigation Strategies, the latest additions to the Cyber Risk Toolkit. They can be accessed on the Academy website.
  • Read “Cybersecurity Month Highlights Need to Remain Resolute Against Ever-Changing Threats,” an Actuarially Sound blog post on how the committee and Academy helps keep stakeholders informed on cyber risk. The blog is available on the Academy website.
  • Listen to the Actuary Voices podcast episode in which Committee on Cyber Risk member Bobby Jaegers discusses building a strong U.S. cybersecurity infrastructure and strengthening cyber resilience at the personal level. The podcast is available on the Academy website and major podcast platforms like Apple Podcasts and Spotify.
  • Watch the recording of the Committee on Cyber Risk 2025, which provides an overview of the 2025 cyber insurance market and highlights the latest additions to the Academy’s Cyber Risk Toolkit. Access the recording through Academy Learning.

Beyond the immediate tactical responses, these findings also point to a strategic need for cross-sector coordination. Insurers, corporations, and public authorities often approach cyber preparedness in silos, yet the scenarios we model demonstrate that systemic events rarely respect such boundaries. Establishing joint simulation exercises, sharing anonymized incident data, and harmonizing response protocols can help close the gap between isolated planning and collective resilience. For insurers, participating in such collaborations can yield richer exposure data, more accurate pricing models, and innovative coverage structures that reflect the interconnected nature of cyber risk.

Policymakers are also beginning to recognize the systemic nature of cyber risk and are responding with new regulatory frameworks. In the European Union, the Digital Operational Resilience Act (DORA) will require financial institutions and their technology providers to demonstrate that they can withstand severe cyber disruptions, effectively pushing resilience planning into the boardroom. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has launched initiatives to map critical dependencies and coordinate responses across sectors, reflecting an acknowledgment that cyberattacks can ripple across the economy just as natural disasters do. These efforts highlight a shift from treating cyber incidents as isolated IT problems toward viewing them as systemic economic and security challenges.

Conclusion

We can’t predict exactly when or how the next major cyber incident will occur. But we can map the contours of the risk—and that’s what our standardized framework aims to do. By making scenarios comparable, we can have a more informed conversation about priorities, preparedness, and the role of insurance. The digital economy will always carry some degree of cyber risk. The challenge is to ensure that when the dominoes start to fall, we’ve already planned how to keep them from toppling the whole system. Cyber risk is becoming the hurricane of the digital age—unpredictable in timing but inevitable in occurrence. Building resilience now through diversification, redundancy, and public-private cooperation is the best way to ensure these shocks do not become systemic crises. 

Martin Eling is the dean of the School of Finance, Director of the Institute of Insurance Economics, and professor for Insurance Management at the University of St. Gallen, Switzerland.