In the following interview Trevor Maynard, Head of Innovation at Lloyd's, talks about how a major, global cyber-attack could happen and what the impact would be. Lloyd's and other organizations have recently released an excellent case study called Bashe attack: Global infection by contagious malware. The report was named best report 2019 in the category "security".
ITRF: Your award winning report ‘Bashe attack: Global infection by contagious malware’ describes the scenario of a devastating global ransomware attack. Why have you chosen such a shocking scenario and how likely do you think it is to actually happen?
Trevor Maynard: The Cyrim project brought together multiple insurers and brokers - Aon, Trans Re, Mitsui, Scor and Lloyd's - along with NTU and the MAS – working with our delivery partner the Cambridge centre for risk studies. We carried out a detailed process to choose the scenarios. First Cambridge considered eleven possible scenarios and brought six for CyRim to consider. These were discussed at a workshop in Singapore amongst the partners and the two most relevant were taken forward. We have now published reports on both of these and Bashe is one.
The Scenario was chosen to meet several criteria: It was asia focussed - the event starts in Asia; and is likely to have a high impact; the impact is extreme but plausible, i.e. the probability is low but not too low – this could definitely happen; and will cover multiple lines of business simultaneously.
ITRF: In your report you describe, very much in detail, the economic consequences of such an attack which could reach losses of almost US$ 200 billion. Why is the economic effect potentially so severe?
Trevor Maynard: In this hypothetical scenario the attackers learn lessons from Not Petya to launch a more impactful event. Consistent with the Lloyd’s Cambridge City Risk Index we published three variants of the scenario S1, S2 and X1 – these show increasing impacts but also become less likely to occur as the economic impact rises.
The most severe variant has two major operating systems affected and also a wiper which will destroy data as well as encrypting it. The combination of these effects leads to our most severe outcome.
Such an event “could” happen any time – just like a major Earthquake hitting a city – but as with natural perils we do see these events as rare – but something we need to prepare for.
ITRF: Which sectors, businesses and individuals are most vulnerable to an attack of this dimension?
Trevor Maynard: Our key finding is a large insurance gap – typically only 10-20% of the economic impact is covered by insurance with many companies choosing to run the risks alone. This effect is more pronounced in Asia with less companies choosing to insure.
When looking at the most extreme scenario variant, X1 – 613,000 companies will be affected worldwide. The retail and healthcare sectors would be the most affected ($25bn each), followed by manufacturing ($24bn). Regionally, the US would be the hardest hit with $89bn at risk. Europe could lose $76bn, with Asia losing $19bn.The rest of the world could lose $9bn.
The US economic loss is driven primarily by the infection of premier-sized companies, particularly within the service sectors such as finance, healthcare and retail. High infection rates in the finance sector cause significant disruption to the US financial markets.
In Europe, retail, business and professional services, and manufacturing are the hardest hit sectors. One reason the financial costs are lower than in the US is that the malware infects a much higher number of small and medium-sized enterprises and a lower number of premier-sized companies. This penetration of SMEs in Europe and the relatively high infection rate of small companies (due to poor cyber defences) increases the number of businesses infected but due to the low potential revenue loss per day for small companies, the economic loss is constrained.
Asia is the third most impacted region in the scenario with economic losses ranging between $6-19 billion. The region is less affected than the US and Europe due to a lower presence of sectors with high vulnerability scores, thus less likely to be infected. The healthcare, transportation and manufacturing sectors are the most severely affected sectors in the region. The disruption to production lines halts or slows down production in manufacturing companies across Asia.
In terms of Personal cyber losses - As the ransomware is forwarded to victims’ entire contact list, there is potential for impacts to personal computers. Claims will likely be seen for personal cyber extortion payments as well as data restoration in the X1 scenario variant. Finally, there is potential for personal reputational policies to payout following the event.
ITRF: How challenging was it to bring together so many co-producers - like AON, Scor, MSIG and others - when writing this report and tackling such a complex problem?
Trevor Maynard: The CyRim project was designed to create this collaboration. My team led the delivery of this aspect of the project and were delighted by the support we received by the others.
ITRF: Thank you very much for this interview, Trevor!