Global cyber attack could cost up to $193bn, study shows

Cyber defence tools alongside appropriate insurance are essential in the light of an insurance industry report on the potential cost of a global cyber attack, say security industry representatives.

A coordinated global cyber attack spread by email could have an economic impact of between $85bn and $193bn, according to a report by the Cyber Risk Management (CyRiM) project, a Singapore-based public-private initiative that assesses cyber risks.

CyRiM’s objectives include research into the definition of cyber risk, the creation of a set of cyber event scenarios for impact quantification, the creation of benchmark cyber loss models, and the development of a non-intrusive cyber security exposure assessments capability.

According to CyRiM, the “lack of sound data, the rapidly changing cyber threat environment, developing regulation and policy landscape, and the global nature of cyber risk with potential for high accumulation risk, constrains the development of the current cyber risk insurance market”.

The report, co-produced by Lloyd’s of London, Aon and other CyRiM partners, explores a hypothetical scenario in which companies’ devices are infected with malware that threatens to destroy or block access to files unless a ransom is paid. 

The attack is launched through an infected email, which, once opened, is forwarded to all contacts and, within 24 hours, encrypts all data on nearly 30 million devices worldwide. Companies of all sizes and in all sectors would be forced to pay a ransom to decrypt their data or to replace their infected devices.

The report estimates that a cyber attack on this scale could affect more than 600,000 businesses worldwide.

In the least severe scenario, retail suffers the highest total economic loss globally ($15bn), followed by healthcare ($10bn) and manufacturing ($9bn). In the most severe scenario, retail and healthcare would be the most affected ($25bn each), followed by manufacturing ($24bn).

According to the research, the economic impact would be the greatest in the US ($46bn-$89bn) driven mainly by the infection of “premier-sized”companies, followed by Europe, where $30bn-$76bn is at stake, with retail, business and professional services, and manufacturing likely to be the hardest-hit sectors.

Despite the high costs to business, the report shows that the global economy is under-prepared for such an attack, with 86% of the total economic losses uninsured, leaving an insurance gap of $166bn.

Ed Macnair, CEO of cloud security company CensorNet, said there is no doubt that the potential economic impact of cyber attacks is increasing.

“Should an event like this occur, it would be devastating, but this seems like the very worst-case scenario,” he said, pointing out that the research is based on a phishing attack.

“The kind of spread they are talking about would be prevented if just a couple of companies had email security in place. The chances are that many more than that do. Of course, phishing attacks are getting smarter and can catch out even the savviest, but modern security tools can also prevent such a rapid propagation of infection,” said Macnair.

“Security tools have got much smarter over the last few years with more and more integration, and could, in theory, be picked up by an email security tool and blocked from being sent on. Then email security speaks to a web security tool, and malicious links are blocked from opening in web clients.”

Cyber insurance is a good idea to have, said Macnair, but without preventative tools in place, it is the same as insuring household contents and leaving the door unlocked, he said. “It’s there as a back-up and, if you do everything right, insurance shouldn’t be needed.”

The report estimates that the total claims paid by the insurance industry in this scenario would be between $10bn and $27bn.

“Comparing the insurance loss estimates to the economic losses shows insurance industry losses are between 9% and 14% of the total economic loss, which shows there are high levels of underinsurance for this type of cyber attack,” the report said.

With the estimated 2019 “cyber affirmative insurance premium” globally at $6.4bn, the research shows the insurance industry is “significantly exposed” to a contagious malware event.

According to the report, the scenario shows that the reliance of the global economy on connectivity significantly increases the scope of the damage caused by malware and, for the first time, quantifies the impacts of a global, systemic, ransomware attack.

“The scenario challenges assumptions of global preparedness for a cyber attack of this nature and sends a clear message to organisations, individual entities, industry associations, markets and policymakers that they must improve their awareness, and assessment of this threat,” the report said.

The report concluded that the expansion of the cyber insurance market is “both necessary and inevitable” and that scenarios such as those used in the research will help insurers expand their view of cyber risks and help them create “new products and services that make businesses and communities more resilient”.