Global cyber attacks underinsured to tune of $166bn, finds report
A severe global ransomware attack could cost as much as $193bn and affect more than 600,000 businesses worldwide, yet only 14 percent of this cost is insured, research has revealed.
Scenarios examined in the Bashe Attack report from the Cyber Risk Management (CyRiM) show that an infected email can spread the attack to all contacts and encrypt data on up to 30 million devices worldwide in just 24 hours. Victims would be expected to pay a ransom to decrypt their data or to replace their infected devices.
This level of loss represents a worst case scenario, however, an attack on this scale would damage a wide range of business sectors through lost productivity and consumption, IT issues, ransom payments and supply chain disruption.
Under the scenario, researchers estimated that retail and healthcare would be the most affected ($25bn each), followed by manufacturing ($24bn). Across the globe, the US would be hardest hit with $89bn at risk, while Europe could lose $76bn, Asia as much as $19bn and the rest of the world could lose $9bn.
The report said that despite the sky-high potential costs for business, more than 86% of the total economic costs remain uninsured creating an insurance gap of $166bn.
It said: “Asia is one of the fastest-growing markets for cyber insurance. The market saw an 87% increase in cyber insurance take-up rates in Asia in 2017 with the current global premiums estimated to total $50 million. The increase in cyber-attacks in 2017 in Asia over recent years means companies are more likely to have standalone cyber insurance than before. Further insurance take-up is likely in the future.”
The US is the world’s most developed cyber market, which is growing year on year, while in Europe GDPR legislation and penalties for non-compliance are expected to drive further growth for insurers.
Dr Trevor Maynard, head of innovation at Lloyd’s, said: “This report shows the increasing risk to businesses from cyber-attacks as the global economy becomes more interconnected and reliant on technology. Companies must ensure they are better prepared for ransomware attacks, and that includes working with insurers to reduce the risks before they are attacked and ensure they have the right insurance cover in place to respond after the event. The reality for business is it’s not if you get attacked but when.”
Global head of cyber at TransRe Elizabeth Geary said: “The insurance industry must also acknowledge and appreciate the potential for systemic risk, in addition to monitoring loss frequency and severity. This report seeks to quantify that systemic economic and insured impact. It represents an important step forward in our understanding, and provides a benchmark for business interruption and its associated costs”.
Pointing to the global WannaCry and NotPetya events of 2017, Andrew Mahony, regional director for Aon, said that organisations were now more alert. But he said: “There remains, however, a reluctance to move forward with the necessary risk prevention and transfer measures without a clear picture of the financial impact such an attack might cause. The Bashe report addresses this issue, demonstrating with precision how an attack unfolds and how it affects insureds and insurers. The report sets the standard that organisations should aspire to when assessing their own cyber exposure.”
The CyRiM project is led by Nanyang Technological University in collaboration with industry partners including Lloyd’s, Aon, MSIG, SCOR and TransRe and academics at the Cambridge Centre for Risk Studies.
