Global ransomware attack could cost businesses $200bn

A global ransomware cyber attack could cost $193bn and affect more than 600,000 businesses worldwide, says Singapore-based Cyber Risk Management (CyRiM) project

CyRiM is a research project that is attempting to create effective cyber risk insurance by gauging the potential economic damage of cyber attacks to businesses. Although based in Singapore, its founding members include Aon and Lloyds and it is partnered with the Cambridge Centre for Risk Studies.

In its latest report, CyRiM assesses the potential impact of a self-forwarding ransomware email that encrypts the data on 30 million devices worldwide within 24 hours, forcing businesses of all stripes to either cough up a ransom to decrypt their data or replace their infected devices.

The report speculates that a ransomware attack on this scale would dramatically reduce productivity and consumption, precipitate costly IT clean-up jobs and ransomware payments, and lead to severe supply chain disruption. Specifically, the US would be the hardest hit with $89bn lost; Europe a $76bn loss and; Asia $19bn.

A report released in October by Hiscox revealed that UK small businesses are the target of an estimated 65,000 attempted cyber attacks every day. But despite the presence of persistent cyber threats, businesses are failing to insure themselves against them leaving a global insurance gap of $166bn.

We may reasonably question the incentives for a globally coordinated ransomware attack of this ilk. With a ransom dividend entering the billions of dollars mark, you’d expect those responsible to be identified pretty routinely.

But as proven in November, when the US charged two Iranians for their role in the SamSam ransomware attack, identifying the perpetrators doesn’t get you far if they reside in a country that you don’t have an extradition treaty with.

And with cyber attacks swiftly becoming the primary weapon in states’ arsenals, high-scale state-sponsored ransomware attacks are going to increasingly become the norm — a trend started by North Korea’s Lazarus Group.

Given private sector enterprises are likely to bear the brunt of such attacks it’s vital that more take out cyber insurance policies and close up the present 86 percent gap in uninsured cyber costs.

“This report is intended to deepen the understanding of cyber risk liability and aggregation risk in the portfolios of insurers,” said Dr Andrew Coburn, chief scientist at the Cambridge Centre for Risk Studies.

“We hope that this contribution will help improve the understanding of cyber risk and lead to better resilience to attacks like these in the future.”