This Global Ransomware Scenario Shows Just How Vulnerable Businesses Are to Malicious Malware Attacks
The Cyber Risk Management (CyRiM) project released its most recent study on the lasting impacts of a global ransomware attack, concluding that such an event could cause a loss of nearly $193 billion.
And only 14 percent of that loss would be covered by insurance.
“The real and present danger posed by cyber risk to businesses and society needs to be tackled on multiple levels,” read the report. “Insurance is one important component in managing this rapidly growing threat as it can provide risk mitigation and transfer.”
CyRiM is led by the Nanyang Technological University – Insurance and Finance Research Centre, backed by a number of industry partners, including the Cambridge Centre for Risk Studies and Lloyd’s of London.
“The insurance industry is improving the understanding of the unique, complex and evolving nature of cyber risk to provide a robust cyber insurance cover required by those at risk. The lack of sound data … constrains the development of the current cyber risk insurance market,” said the report.
Creating a Faux Malware Attack
So, in order to gain more data on a ransomware event of global scale, CyRiM created the “Bashe Attack,” a fake malware scenario, to see how it might take place and what the impact would be on governments and businesses.
They named the scenario “bashe” after the Chinese tale of a giant snake that could swallow an elephant whole: “This name has been adopted for the attack in this scenario as it is seemingly insatiable in its quest for disruption,” explained the report.
The created scenario involved the Bashe malware entering into a company’s network through malicious email and, once opened, encrypting the data on every device connected to that network — not unheard of or uncommon in real practice.
The difference: This malware could then forward itself to every email address saved within the address books on the network. Business, said the report, has become more connected and even dependent on digital links — not just within a company but with the world at large. Once one network was compromised, the malware could spread to outside businesses’, governments’ and individuals’ email inboxes, encrypting their data before forwarding itself again and repeating the process and essentially becoming a cyber pandemic.
In 24 hours, the report concluded, the ransomware would encrypt the data on nearly 30 million devices worldwide.
At its worst, the Bashe Attack would cost $193 billion in economic losses.
At its best, $85 billion.
Retail would suffer the highest economic loss globally, said the report, with a $15 billion in economic loss. Health care would take a $10 billion hit, and manufacturing comes in at #3 with a $9 billion loss.
CyRiM reviewed several versions of the scenario and broke down the impact by region as well, stating that the U.S. would see a total economic loss anywhere from $46 billion to $86 billion. Europe ranged from $30 billion to $76 billion, and Asia was $6 billion to $19 billion.
In the aftermath, the total of global insurance claims made could equal anywhere from $10 billion to $27 billion.
Claims for business interruption, cyber extortion, incident response costs, personal cyber and liability would be most prominent. Not to mention litigation fees, damage to IT assets, data and software loss and more. Business interruption would likely be the main driver of insured losses, at 71 percent.
Further, “the estimated 2019 cyber affirmative insurance premium globally is $6.4 billion, which puts the insurance industry loss estimates at 1.2 to 3.4 times the annual insurance premiums. This shows that the insurance industry is significantly exposed to a contagious malware event,” concluded the report.
What Can Be Done Now to Prevent a Bashe Attack
If a global, systemic ransomware attack were to take place, businesses need to be prepared beforehand. The researchers hope this scenario acts as a challenger against assumptions of cyber-attack readiness within companies. It further suggests a few ways to prepare.
Companies need to review their response plan for contagious malware. Is there one set up? If there is, how robust is it? Companies should include building an effective response plan as part of their business operations and work more closely with their insurance teams to develop a cyber defense strategy.
Insurance, likewise, should continue to monitor and brainstorm strategies to combat growing cyber risks. Data collection is one way to really hone in on the changing nature of cyber, said the report: “The expansion of the cyber insurance market is both necessary and inevitable. Scenarios such as the ‘Bashe Attack’ help insurers expand their view of cyber risks ahead of the next event and help them create new products and services that make businesses and communities more resilient.”
To see further the different variables used in the Bashe Attack scenario and to see the impacts made on each region and sector, you can read the full “Bashe Attack: Global Infection by Contagious Malware” report here.