A global ransomware cyber attack could cost $193bn and affect more than 600,000 businesses worldwide, according to a new report from the Cyber Risk Management (CyRiM) project, the Singapore-based public-private initiative that assesses cyber risks, of which Lloyd’s is one of the founding members.
The report, ‘Bashe attack: Global infection by contagious malware’, a joint project by CyRiM, Lloyd’s the Cambridge Centre for Risk Studies, with support from SCOR, TransRe, MSIG Asia, and the Insurance Risk and Finance Research Centre at the Nanyang Technical University in Singapore, imagines a scenario in which the world is hit by a digital plague that spreads across the globe in a matter of hours. In this scenario, the attack is launched through an infected email, which once opened is forwarded to all contacts and within 24 hours encrypts all data on 30m devices worldwide. Companies of all sizes would be forced to pay a ransom to decrypt their data or to replace their infected devices.
The hypothetical Bashe attack, a ransomware attack on a global scale, would cause substantial economic damage to a wide range of business sectors through reduced productivity and consumption, IT clean-up costs, ransom payments and supply chain disruption.
The scenario estimates that:
- Retail and healthcare would be the most affected ($25bn each), followed by manufacturing ($24bn).
- Regionally, the US would be the hardest hit with $89bn at risk. Europe could lose $75bn, with Asia losing $18bn. The rest of the world could lose $8bn.
Healthcare is a particularly vulnerable sector, according to the report, as that sector has a greater proportion of legacy systems as compared to other industries. According to Beazley head of Asia Pacific Lucien Mounier, 45% of the ransomware attacks that the company handled in 2017 were in the healthcare industry. “They simply have lesser investment into information security. If you think about it, it’s natural that investments would not necessarily go directly into information security compared to buying new equipment or modernising the hospital itself. If you think about a doctor, his priority would go towards saving his patients than it is to have a complex password,” he said.
“Both are important, but that’s just the nature of the industry,” he said. “At the point the challenge becomes, ‘How can I make it easy for the healthcare industry to become more secure?’ Because you can’t really expect a surgeon who’s conducting an operation to key in a 12-character complex password.”
Despite the high costs to business, the report shows the global economy is underprepared for such an attack with 86% of the total economic costs uninsured, leaving an insurance gap of $166bn. Lloyd’s head of innovation Dr Trevor Maynard said, “This report shows the increasing risk to businesses from cyber attacks as the global economy becomes more interconnected and reliant on technology. Companies must ensure they are better prepared for ransomware attacks, and that includes working with insurers to reduce the risks before they are attacked and ensure they have the right insurance cover in place to respond after the event. The reality for business is it’s not if you get attacked but when.” M