A global ransomware cyberattack could inflict around US$193 billion in damage and affect more than 600,000 businesses worldwide, according to a new report from the Cyber Risk Management (CyRiM) project.
CyRiM is a Singapore-based public-private initiative that assesses cyber risks, with Lloyd’s as one of its founding members. The report was produced in collaboration with Nanyang Technological University, Cambridge University, and several major insurance industry players such as Aon, MSIG Asia, SCOR, and TransRe.
The report, titled ‘Bashe Attack: Global infection by contagious malware’, presented a hypothetical scenario where the attack spreads through infected emails. Once the email is opened, it forwards the ransomware to all of the victim’s contacts. The attack is able to encrypt all data on around 30 million devices worldwide, forcing companies to either pay a ransom to retrieve their data, or replace the infected devices.
According to the study, a ransomware attack of this magnitude would cause substantial economic damage to multiple business sectors through reduced productivity and consumption, IT clean-up costs, ransom payments and supply chain disruption.
The retail and healthcare sectors would be the top two most affected, with losses of US$25 billion each, closely followed by the manufacturing sector (US$24 billion). Geographically, the US would be the hardest hit, with US$89 billion at risk. Meanwhile, Europe stands to lose US$76 billion, followed by Asia’s US$19 billion. The rest of the world is estimated to lose US$9 billion.
Despite the huge value at risk, the study highlighted the lack of preparedness of the global economy against such a threat – 86% of the total economic costs are uninsured, resulting in an insurance gap of US$166 billion.
“This report shows the increasing risk to businesses from cyberattacks as the global economy becomes more interconnected and reliant on technology,” said Dr Trevor Maynard, head of innovation at Lloyd’s. “Companies must ensure they are better prepared for ransomware attacks, and that includes working with insurers to reduce the risks before they are attacked and ensure they have the right insurance cover in place to respond after the event. The reality for business is it’s not if you get attacked but when.”
“Malware respects no boundaries, whether geographic, industrial or legal,” said Elizabeth Geary, global head of cyber at TransRe. “As companies increase their reliance on technology, it is essential they increase their defences against challenges such as malware, and effective cyber insurance is a critical component of that defence. Similarly, the insurance industry must also acknowledge and appreciate the potential for systemic risk, in addition to monitoring loss frequency and severity. This report seeks to quantify that systemic economic and insured impact. It represents an important step forward in our understanding, and provides a benchmark for business interruption and its associated costs.”