Businesses are ill-prepared for a global ransomware attack

13 March 2019

A large scale malware attack could cost the global economy as much as USD 200 billion, yet the risk is largely uninsured, according to a study from the Cyber Risk Management (CyRiM) project and Lloyd’s.

As the global economy becomes more interconnected and reliant on technology, companies are growing more vulnerable to outbreaks of contagious malware. 

While several cyber-attacks have spread rapidly across the world – most notably the WannaCry and NotPetya attacks in 2017- there is yet to be a coordinated attack that causes catastrophic-level losses.

For the first time, however, a study from the Cyber Risk Management (CyRiM) project and Lloyd’s quantifies the impacts of such a scenario. It estimates that a global ransomware cyber-attack would cost between USD 85 billion and USD 193 billion - by comparison, the NotPetya malware attack is estimated to have cost USD 10 billion. 

However, the report said that more than 86% of the total economic cost remains uninsured, creating an insurance gap of USD 166 billion.

Forewarned Is Forearmed

The report is based on a hypothetical loss scenario, whereby a cyber attack is launched through an infected email. Once opened, the email is automatically forwarded to all contacts and within 24 hours the virus encrypts all data on 30 million devices worldwide. 

Companies of all sizes would be forced to pay a ransom to decrypt their data or to replace their infected devices.

The report shows the extent of damage caused by a large-scale global ransomware attack, which would lead to reduced productivity and consumption, IT clean-up costs, ransom payments and supply chain disruption for a wide range of business sectors. 

The loss scenario, which impacts more than 600,000 businesses worldwide, envisages direct costs to individual companies, as well as a wider economic impact, such as the negative effects on supply chains and consumption.

For example, the malware’s encryption of payment systems would cause a significant decline in sales revenue for traditional retailers.

While e-commerce trading revenue would be affected, as websites struggle to process web traffic.

Manufacturers would suffer significant revenue loss because the malware encrypts equipment, halting production. While in healthcare, which is historically vulnerable to high levels of malware infection, the malware would penetrate legacy systems and healthcare IT equipment.

The scenario estimates that the retail and healthcare sectors would be the worst affected (USD 25 billion), followed by manufacturing (USD 24 billion). 

Regionally, the US would be the hardest hit with USD 89 billion at risk, followed by Europe with a USD 76 billion impact and Asia losing USD 19 billion. The rest of the world could lose USD 9 billion.

Businesses would also have to weigh up paying the ransom against the cost and time needed to clean-up and replace systems. 

When the NotPetya ransomware attack in 2017 hit A.P. Moller-Maersk, the world’s largest container shipping company, the company’s IT team reinstalled over 4,000 servers, 45,000 PCs, and 2,500 applications over a 10-day period. This was estimated to cost Maersk up to USD 300 million.

The report scenario found that contingent business interruption would be particularly damaging, as the malware attack would spread throughout the supply chain. For example, indirect losses in the banking and finance sectors would roughly match the direct economic impact of the malware for that sector. 

 Sign up to our latest  news & insights Sign up to our latest  news & insights

Underinsurance 

Despite the high costs to business, the report shows the global economy is underprepared for such an attack. Only 9-14% (USD 10 -27 billion) of the total economic costs would be insured, leaving some USD 166 billion uninsured.

According to the study, business interruption coverage is the main driver of insured losses, at between 60-70% of the loss. Incident response costs were the next largest cause of loss at USD 3.1 billion, while cyber liability and data loss followed with losses of around USD 2.5 billion apiece. 

The scenario was not based on an act of terrorism or warfare, so the Terrorism Risk Insurance Act (TRIA) in the US would not be triggered.

While small relative to the economic loss, an insured loss of USD 10-27 billion would still be a material exposure for the insurance market. The estimated 2019 cyber affirmative insurance premium globally is USD 6.4 billion, resulting in an insurance industry loss of 1.2 to 3.4 times the annual insurance premium.

FOOD FOR THOUGHT

The scenario set out in the study is fictional and not intended as a prediction. In fact, the study describes the exercise as an unlikely and extreme, yet plausible, scenario. However, such ‘what-if’ studies should be taken seriously. 

They raise awareness and can help companies visualise what a catastrophic cyber event might look like and how it could impact their business.

The report, for example, highlights the need for industries and individual companies to improve their awareness and assessment of this threat. 

Lloyd’s advises companies to build effective response capability for contagious malware, and work closely with insurance companies to develop cyber defence strategies.

The study is also just one of a number of cyber loss scenarios developed by the insurance industry in partnership with research groups. 

These aim to create common definitions and cyber related event loss data that can be used to model large cyber events, which should feed through to the availability of insurance, reinsurance and alternative capital.

Sarah Stephens

Talk to an expert

For further information, please contact Sarah Stephens, Head of Cyber /Technology E&O on +44 (0)20 3394 0486

Download cyber decoder

YOU MAY ALSO BE INTERESTED IN