Global ransomware attack could cost businesses almost $200bn, new study finds

29 January 2019

A global ransomware cyber-attack could cost $193bn and affect more than 600,000 businesses worldwide, according to a new report from the Cyber Risk Management (CyRiM) project, the Singapore-based public-private initiative that assesses cyber risks, of which Lloyd’s is one of the founding members. 

In the report’s scenario, the attack is launched through an infected email, which once opened is forwarded to all contacts and within 24 hours encrypts all data on 30 million devices worldwide. Companies of all sizes would be forced to pay a ransom to decrypt their data or to replace their infected devices. 

The report, ‘‘Bashe Attack: Global infection by contagious malware’, shows a ransomware attack on this scale would cause substantial economic damage to a wide range of business sectors through reduced productivity and consumption, IT clean-up costs, ransom payments and supply chain disruption. 

The scenario estimates that:

  • Retail and healthcare would be the most affected ($25bn each), followed by manufacturing ($24bn). 
  • Regionally, the US would be the hardest hit with $89bn at risk. Europe could lose $75bn, with Asia losing $18bn. The rest of the world could lose $8bn. 

Despite the high costs to business, the report shows the global economy is underprepared for such an attack with 86% of the total economic costs uninsured, leaving an insurance gap of $166bn. 

Among the key findings: 

  • The report challenges assumptions of global preparedness for a cyber-attack of this nature and scale. 
  • It highlights lessons for the insurance sector in terms of policy, legal and aggregation issues in cyber insurance offerings. 
  • It also identifies opportunities for insurers to expand their business in insurance classes associated with ransomware attacks. 

Click below to read the report:

Global ransomware attack

Alan J. Wilson, CEO of MSIG Asia, said “Asia is more connected than ever before but information on corporate cyber-attacks is not yet so widely available. This report illustrates the potential reach and impact of cyber-attacks which can serve as a useful guide for organisations and governments. MSIG is proud to play a part in this report as we believe that education on cyber risk should be an on-going effort in collaboration with academia, technology, insurers and governments, for us to build a more resilient society in the future.”

Dr Trevor Maynard, Head of Innovation at Lloyd’s, said: “This report shows the increasing risk to businesses from cyber-attacks as the global economy becomes more interconnected and reliant on technology. Companies must ensure they are better prepared for ransomware attacks, and that includes working with insurers to reduce the risks before they are attacked and ensure they have the right insurance cover in place to respond after the event. The reality for business is it’s not if you get attacked but when.”

Professor Shaun Wong, Director of the Insurance Risk and Finance Research Centre at Nanyang Technological University added: “We are pleased to collaborate with Cambridge University and CyRiM founding members on this groundbreaking research. Quantifying potential harm caused by cyber threats to corporations and their insurers has been a challenge due to lack of data. The “Bashe attack” report exemplifies a sound methodology of applying expert knowledge in estimating economic losses caused by contagious malware to sweep through many organisations. It sheds light on potential losses to insurers through both affirmative and non-affirmative covers.”

Dr Andrew Cobrun, Chief Scientise at the Cambridge Centre for Risk Studies, said “The scenario we have prepared with Lloyd’s, CyRiM and other contributors highlights the potential for loss that can occur from contagious malware attacks. It challenges assumptions about cyber preparedness and the adequacy of security measures that companies have in place. This report is intended to deepen the understanding of cyber risk liability and aggregation risk in the portfolios of insurers. We hope that this contribution will help improve the understanding of cyber risk and lead to better resilience to attacks like these in the future.”

Elizabeth Geary, Global Head of Cyber at TransRe, said “This research highlights the need to pay close attention to systemic risk across all lines of business, not just within the cyber tower. Malware respects no boundaries, whether geographic, industrial or legal. As companies increase their reliance on technology, it is essential they increase their defences against challenges such as malware, and effective cyber insurance is a critical component of that defence. Similarly, the insurance industry must also acknowledge and appreciate the potential for systemic risk, in addition to monitoring loss frequency and severity. This report seeks to quantify that systemic economic and insured impact. It represents an important step forward in our understanding, and provides a benchmark for business interruption and its associated costs”. 

Andrew Mahony, Regional Director for Aon, added: “The global WannaCry and NotPetya events of 2017 alerted organisations to their potential susceptibility to widespread cyber-attacks. There remains, however, a reluctance to move forward with the necessary risk prevention and transfer measures without a clear picture of the financial impact such an attack might cause. The Bashe report addresses this issue, demonstrating with precision how an attack unfolds and how it affects insureds and insurers. The report sets the standard that organisations should aspire to when assessing their own cyber exposure.” 

Sébastien Heon, Deputy Chief Underwriter Officer, Cyber Solutions at SCOR said: “We are delighted to contribute to the Bashe report, which expands the knowledge and understanding of widespread Cyber events – particularly exposure to Business Interruption as experienced during real-life incidents such as NotPetya and WannaCry. This report has brought together a multidisciplinary team of academic and (re)insurance industry experts from across the world, thereby providing a global view of cyber risk.”

Notes to editors 

  • ‘Bashe Attack: Global Infection by Contagious Malware’ is a joint report produced by the Cyber Risk Management (CyRiM) project led by Nanyang Technological University, in collaboration with industry partners and academic experts including Lloyd’s, a founding member of CyRiM. 
  • The Centre for Risk Studies at Cambridge University prepared the cyber risk scenario in the report based on detailed research in conjunction with Lloyd’s, CyRiM and other contributors. 
  • Ransomware is malware (malicious software) that threatens to destroy or block access to files unless a ransom is paid. 
  • The report analyses the costs of the scenario using three levels of severity. The numbers in this press release are based on the most severe version of the scenario. 
  • Cyber insurance covers a range of costs associated with ransomware attacks including: business interruption (the largest driver of total economic losses in this scenario); loss of productivity and consumption; IT clean-up costs and supply chain losses. 

About Lloyd’s

  • Lloyd’s is the world’s specialist insurance and reinsurance market – 
  • Led by expert underwriters and brokers in more than 200 territories, the Lloyd’s market develops the essential, complex and critical insurance needed to underwrite human progress. 
  • Backed by diverse global capital and excellent financial ratings, Lloyd’s works with a global network of over 4,000 insurance professionals to build resilience for businesses and local communities, and strengthen economic growth around the world. 
  • Lloyd’s underwrites approximately a third of the global cyber market, with 80% of that written in the US. 
  • Lloyd’s regularly publishes reports on cyber risk to inform customers on the latest developments. Recent studies available at include:
    • Business Blackout, which looks at the economic and insurance implications of a cyber-attack on the US power grid. 
    • Facing the Cyber Risk Challenge, which found that businesses are still complacent with regards as to how a data breach can impact them, and how to prepare for it. 
    • Closing the Gap, which found that businesses could face a much higher bill than they expect or are prepared for after a cyber-attack. 

About CyRiM

  • The Cyber Risk Management (CyRiM) project is led by Nanyang Technological University – Insurance Risk and Finance Research Centre (NTU-IRFRC) in collaboration with industry partners and academic experts including the Cambridge Centre for Risk Studies. 
  • The project is overseen by a Project Oversight Board consisting of representatives from the Monetary Authority of Singapore (MAS), Cyber Security Agency of Singapore (CSA), NTU-IRFRC and CyRiM industry founding members. 
  • CyRiM industry founding members include Aon Centre for Innovation and Analytics, Lloyd’s - the specialist insurance and reinsurance market, MSIG, SCOR and TransRe. 
  • CyRiM is a pre-competitive research project that aims to foster an efficient cyber risk insurance market place through engaging industry and academic experts guided by government and policy level research. 
  • The CyRiM project will help Singapore become an industry centre of excellence on cyber risk and grow the cyber risk insurance market by promoting both the demand and supply of insurance coverage. 

About the Centre for Risk Studies at Cambridge Judge

  • The Centre for Risk Studies is a multidisciplinary centre of excellence at Cambridge University Judge Business School for the study of the management of economic and societal risks. 
  • The centre's focus is on the analysis, assessment and mitigation of global vulnerabilities for the advancement of political, business and individual decision makers. 

For more information, please contact the MSIG Asia communications team.