Risk ransomware.

Held to ransom

4 February 2019

The article at a glance

A global ransomware cyber attack could cost nearly $200 billion and affect more than 600,000 businesses, says report by the Centre for …

A global ransomware cyber attack could cost nearly $200 billion and affect more than 600,000 businesses, says report by the Centre for Risk Studies at Cambridge Judge and other partners.

A global ransomware cyber-attack could cost $193bn and affect more than 600,000 businesses worldwide, says a new report produced by the Centre for Risk Studies at Cambridge Judge Business School and other partners.

In the report’s scenario, the attack is launched through an infected email, which once opened is forwarded to all contacts and within 24 hours encrypts all data on 30 million devices worldwide. Companies of all sizes would be forced to pay a ransom to decrypt their data or to replace their infected devices.

The scenario estimates that retail and healthcare would be the most affected ($25bn each), followed by manufacturing ($24bn). In terms of geography, the US would be the hardest hit with $89bn at risk, followed by Europe at $75bn, Asia at $18bn and the rest of the world at $8bn.

Despite the high costs to business, the report shows the global economy is underprepared for such an attack with 86 per cent of the total economic costs uninsured, leaving an insurance gap of $166bn.

The report, entitled Bashe attack: Global infection by contagious malware, was issued by the Cyber Risk Management (CyRiM) project, a Singapore-based public-private initiative that assesses cyber risks, of which the global insurance market Lloyd’s is a founding member.

Dr Andrew Coburn

The Centre for Risk Studies at Cambridge Judge prepared the cyber risk scenario in the report, based on detailed research in conjunction with Lloyd’s, CyRiM and other contributors.

Dr Andrew Coburn, Chief Scientist at the Centre for Risk Studies, said this scenario “highlights the potential for loss that can occur from contagious malware attacks. It challenges assumptions about cyber preparedness and the adequacy of security measures that companies have in place.”

This report is intended to deepen the understanding of cyber risk liability and aggregation risk in the portfolios of insurers. We hope that this contribution will help improve the understanding of cyber risk and lead to better resilience to attacks like these in the future.