The global re/insurance industry is underprepared for the impact of a single large-scale ransomware cyber attack, which could cost businesses as much as $193 billion, according to a new study by the Cyber Risk Management (CyRiM) project.
The report modelled an attack that infects 30 million devices worldwide and forces companies to pay a ransom to decrypt their data.
In this scenario, CyRiM found that roughly 86% of the total economic costs would go uninsured, leaving an insurance gap of $166 billion.
Retail and healthcare sectors would be most affected by the attack ($25 billion each), followed by manufacturing ($24 billion).
Damages would result primarily from reduced productivity and consumption, IT clean-up costs, ransom payments and supply chain disruption.
Regionally, a ransomware attack of this kind would impact the U.S most, with $89 billion at risk, followed by Europe at $76 billion, Asia at $19 billion, and the rest of the world making up the remaining $9 billion.
While the report highlights many areas in which the global re/insurance industry is underprepared for such an attack, it also identified opportunities for insurers to expand their business in insurance classes associated with ransomware events.
The study was undertaken by analysts at CyRiM, the Singapore-based public-private cyber risk initiative, of which Lloyd’s is one of the founding members.
Trevor Maynard, Head of Innovation at Lloyd’s, commented on the findings: “This report shows the increasing risk to businesses from cyber-attacks as the global economy becomes more interconnected and reliant on technology.”
“Companies must ensure they are better prepared for ransomware attacks, and that includes working with insurers to reduce the risks before they are attacked and ensure they have the right insurance cover in place to respond after the event,” he continued. “The reality for business is it’s not if you get attacked but when.”
Elizabeth Geary, Global Head of Cyber at TransRe, also stated: “This research highlights the need to pay close attention to systemic risk across all lines of business, not just within the cyber tower.”
“Malware respects no boundaries, whether geographic, industrial or legal. As companies increase their reliance on technology, it is essential they increase their defences against challenges such as malware, and effective cyber insurance is a critical component of that defence,” she explained.
“Similarly, the insurance industry must also acknowledge and appreciate the potential for systemic risk, in addition to monitoring loss frequency and severity. This report seeks to quantify that systemic economic and insured impact. It represents an important step forward in our understanding, and provides a benchmark for business interruption and its associated costs”.
Shaun Wang, Director of the Insurance Risk and Finance Research Centre at Nanyang Technological University, added: “We are pleased to collaborate with Cambridge University and CyRiM founding members on this groundbreaking research. Quantifying potential harm caused by cyber threats to corporations and their insurers has been a challenge due to lack of data.
“The “Bashe attack” report exemplifies a sound methodology of applying expert knowledge in estimating economic losses caused by contagious malware to sweep through many organisations. It sheds light on potential losses to insurers through both affirmative and non-affirmative covers.”
Finally, Andrew Coburn, Chief Scientist at the Cambridge Centre for Risk Studies, said: “The scenario we have prepared with Lloyd’s, CyRiM and other contributors highlights the potential for loss that can occur from contagious malware attacks. It challenges assumptions about cyber preparedness and the adequacy of security measures that companies have in place.
“This report is intended to deepen the understanding of cyber risk liability and aggregation risk in the portfolios of insurers. We hope that this contribution will help improve the understanding of cyber risk and lead to better resilience to attacks like these in the future.”