Nine in 10 global cybersecurity and risk experts said they believed that cyber risk is systemic and that simultaneous attacks on multiple companies were likely in 2017, according to a study by American International Group released last week.
More than half of survey respondents said a simultaneous attack on five to 10 companies is highly likely in the next year. More than one-third estimated the likelihood of a simultaneous attack on as many as 50 companies at greater than 50 percent. Twenty percent saw an even greater threat, predicting a better than even chance that as many as 100 companies would be attacked.
AIG, one of the biggest writers of cyber insurance announced the results on Wednesday last week, two days before news of a worldwide ransomware attack surfaced on Friday, with the earliest reports centering on a shutdown of U.K. hospitals under attack. Throughout the weekend, estimates of the impact soared with most reports saying that computers that run factories, banks, government agencies and transport systems had also been hit across at least 150 countries.
AIG said its survey of cybersecurity and risk experts was conducted to gain a deeper understanding of the likelihood and impact of a globally systemic cyber attack. The survey follows several high-profile systemic cyber events, including the Dyn Denial of Service (DDoS) and MongoDB ransomware attacks.
“While data breaches and cyber-related attacks have become more prevalent for individual businesses, concern about systemic cyber attacks are on the minds of those in the very community dedicated to analyzing and preventing this threat,” said Tracie Grella, global head of Cyber Risk Insurance for AIG, in an announcement last Wednesday.
The leading industries identified by experts as most likely to experience a systemic attack this year were:
Financial networks or transaction systems, Internet infrastructure, the power grid and the healthcare system would be vulnerable in attacks on these industries. Information technology companies, including software and hardware providers that support the backbone of the digital economy, were also seen as particularly susceptible.
“Our highly networked economy relies on secure, expedient and constant data flow and electronic communication,” said Grella. “Disruptions to the flow and security of data can have cascading impacts and negatively impact institutions that rely on such data.”
Asked to rank specific scenarios, respondents selected a mass-distributed DDoS attack on a major cloud provider as the most likely cross-sector mega event. For data theft or destruction scenarios, flaws in hardware or software widely used by the industry are most concerning.
The top three likely scenarios selected by experts were:
Financial Services. 15 companies breached. Mass business interruption. Mass DDoS coordinated against financial institutions.
Healthcare. 10 companies breached (e.g., hospital, pharmacy, insurer). Mass data theft. Flaw in commonly used electronic medical record software.
Retail/Hospitality. 25 companies breached. Mass data theft. Flaw in widely used payment processing software/hardware.
The worst-case scenarios that were of greatest concern include:
In December 2016, AIG surveyed 70 cybersecurity, technology and insurance professionals focused on cyber risk in the United States, United Kingdom and Continental Europe. Participants included chief information security officers, technology experts and forensic investigators as well as cyber researchers, academics, insurance brokers, underwriters and risk modelers.
Source: AIG Cyber Survey