In the nightmare scenario of a corporate cyberattack, the victim is not just one bank or power supply company but many attacked at the same time, and it could happen as early as this year, according to a new study from AIG.
Nine in 10 global cybersecurity and risk experts surveyed by AIG believe that cyber risk is systemic, and more than half said a systemic cyberattack on five to 10 companies is highly likely this year. More than one-third gave almost even odds of an attack on as many as 50 companies this year, and 20% gave similar odds for an attack on as many as 100 companies simultaneously.
“While data breaches and cyber-related attacks have become more prevalent for individual businesses, concern about systemic cyberattacks are on the minds of those in the very community dedicated to analyzing and preventing this threat,” said Tracie Grella, global head of cyber risk insurance at AIG.
Financial services was ranked as the industry most vulnerable to a systemic attack (19%) in the next 12 months followed by power/energy (15%), telecommunications/utilities (14%), health care (13%) and information technology (12%), according to the survey.
When asked more specifically about systemic cyberattack scenarios in the next 12 months, respondents gave top rankings to a simultaneous attack of 15 financial services firms that cuts off service (known as a distributed denial of service, or DDoS attack) and a simultaneous mass data theft of 10 health care companies (hospitals, pharmacies, insurers) due to flaws in electronic medical records software. On a scoring of 1-10 with 1 being the most likely, both received a 4.1 rating, suggesting better than even odds (59.9%) of happening this year.
An attack on a large cloud provider was seen as the most likely multi-industry attack over the next 12 months.
While those scenarios are very serious, they are not considered the worst case by survey respondents. Their worst case scenarios were cyber war games, leading to conventional battles between nation-states; a power grid attack during times of systemic stress, affecting a large population; and an attack on telecommunications and utilities infrastructure, impacting essential services.
In a recent Harvard Business Review article, MIT Professor Stuart Madnick, the academic director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, wrote, “The scenario of losing power for a long time — weeks or even months — is not unthinkable.” But in order for that and other systemic cyberattacks to occur, three conditions must be met, according to Madnick: opportunity, capability and motivation. There is currently plenty of opportunity and capability but motivation is limited because of the possibility of retaliation acts as a deterrent, wrote Madnick.
Still, he recommends “systems-level thinking about how everything is connected … Hospitals might have backup generators, but what about the supply line for refueling … the refueling stations need electricity to operate pumps, what is the plan? We need innovative, systems-level thinking — and a sense of urgency — to mitigate the impact of a major cyberattack. And we need it now.”
AIG, which sells insurance products for businesses and individuals to protect against cyberattacks, notes that “defenses must keep pace as cyber threats continue to advance and expand” and should include investments in security software and hardware, careful vetting of vendors and training on security practices, and insurance to mitigate impact the impact of cyberattacks.
— Related on ThinkAdvisor: