If hackers were to shut down parts of the U.S. power grid, insurance claims could cost anywhere between $21.4 and $71.1 billion, according to a recent study from Lloyd’s and the University of Cambridge’s Centre for Risk Studies.

The report, “Business Blackout,” analyzes a hypothetical but plausible scenario in which hackers damage just 50 of the approximately 700 generators that supply power to the Northeastern electrical grid, plunging 15 U.S. states and Washington, D.C. into darkness. The attack would leave 93 million people without power and cause health and safety system failures, trade port shutdowns, water supply disruption and transportation network chaos.

“The scenario illustrates the potential physical damage caused by cyber attacks against operational technology and just how broad the reach of a major event could be,” says Nick Beecroft, emerging risks and research manager at Lloyd’s of London. “Insurers should consider a cyber attack to be a peril that could trigger a wide range of economic losses.”

The report estimates the U.S. economic impact of a cyber attack this severe would total anywhere between $243 billion and $1 trillion, depending on the severity. Meanwhile, insurance claims would arise in more than 30 lines of insurance—primarily business interruption, liability and property damage.

“The claims originate from companies that lose power and thus lose business; power generation companies, which lose revenue and suffer property damage; businesses that suffer supply chain disruption because critical vendors are not able to supply them; and companies that are sued for liability to prevent the attack,” Beecroft says.

The report estimates that the attack would cause four lines of insurance—commercial combined property, downstream energy, energy liability and advanced property for cyber liability—to experience “major” increases in claims. It would also expose a total of 32 lines to some increase in claims, including workers comp, D&O, E&O, general liability and many more.

Just how likely is a major cyber attack like the one described in this report? “A prediction describes what will happen; a scenario describes what could happen,” Beecroft says. “A scenario describes only one of many possible futures. Scenarios allow insurers to investigate uncertainty and can provide a valuable tool for exposure management and product innovation.”

For insurers, data will be a key factor in further analyzing cyber risk and developing new solutions to mitigate the latest threats and vulnerabilities.

“The systemic, intangible, dynamic nature of cyber risk means that all parties involved in managing the risk have an interest in sharing anonymized data on the frequency and severity of attacks,” Beecroft says. “The combination of insurers’ expertise in pricing risks—together with the capabilities of the cyber security sector to assess threats and vulnerabilities and the risk modelling expertise of the research community—has the potential to offer a new generation of cyber insurance solutions for the digital age.”

Jacquelyn Connelly is IA senior editor.