In the nightmare scenario of a corporate cyberattack, the victim is not just one bank or power supply company but many attacked at the same time, and it could happen as early as this year, according to a new study from AIG.
Nine in 10 global cybersecurity and risk experts surveyed by AIG believe that cyber risk is systemic, and more than half said a systemic cyberattack on five to 10 companies is highly likely this year. More than one-third gave almost even odds of an attack on as many as 50 companies this year, and 20% gave similar odds for an attack on as many as 100 companies simultaneously.
“While data breaches and cyber-related attacks have become more prevalent for individual businesses, concern about systemic cyberattacks are on the minds of those in the very community dedicated to analyzing and preventing this threat,” said Tracie Grella, global head of cyber risk insurance at AIG.
Financial services was ranked as the industry most vulnerable to a systemic attack (19%) in the next 12 months followed by power/energy (15%), telecommunications/utilities (14%), health care (13%) and information technology (12%), according to the survey.
When asked more specifically about systemic cyberattack scenarios in the next 12 months, respondents gave top rankings to a simultaneous attack of 15 financial services firms that cuts off service (known as a distributed denial of service, or DDoS attack) and a simultaneous mass data theft of 10 health care companies (hospitals, pharmacies, insurers) due to flaws in electronic medical records software. On a scoring of 1-10 with 1 being the most likely, both received a 4.1 rating, suggesting better than even odds (59.9%) of happening this year.
An attack on a large cloud provider was seen as the most likely multi-industry attack over the next 12 months.