A global ransomware attack affecting more than 600,000 businesses would hit the retail sector hardest and inflict damage worth $25 billion, according to a report which studied a hypothetical cyberattack as part of a risk management model.

The report, compiled by a group of leading insurance and risk modelling institutions, including Lloyds of London, Aon and the University of Cambridge, tested the potential impact of a ransomware attack in which malware is sent to a business via an infected phishing email, which is opened by one employee and from there automatically forwarded to all contacts.

The study modelled the impact of three outcomes for the ‘Bashe attack’ scenario, with the lowest scale of economic damage to the world economy resulting in $85 million of losses, the second in $159 billion losses and the third and most extreme scenario $193 billion.

According to the worst-case scenario modelled as part of the project, the virus spreads to infect the systems of 600,000 businesses worldwide and within minutes encrypts the data on 30 million devices, before the ringleaders demand a ransom to decrypt them with a total of $193 billion of economic damage caused worldwide.

The report found particular vulnerability to ransomware attacks amongst sectors that were “highly dependent on connected and IT devices for revenue”, with retailers- who rely on digital supply chains, tills and payment systems, coming off worst.

Taking into account the current rates of businesses insured against cyberattacks, the report suggested that the global economy would be underprepared for such a scenario, with 86 per cent of the economic costs related to ransomware attacks uninsured for- equivalent to an insurance gap of $166 billion.

On a sector by sector basis, the worst-case of the three scenarios modelled predicted that 613,000 business would be affected by such an attack, with retail coming out worst hit in terms of economic loss ($25 billion), followed by healthcare ($25 billion) and manufacturing ($24 billion).

Other sectors include business and professional services ($20 billion), finance and banking ($17 billion) and tourism and hospitality ($17 billion).

On a regional basis, the US would be worst hit by such an attack, sustaining $89 billion of economic losses, followed by Europe at $76 billion, Asia on $19 billion and the rest of the world with $9 billion.

The after effects of cleaning up a ransomware attack could last up to a year due to business interruption, the unavailability of IT systems or data; data and software loss due to wiped data; cyber extortion loss for ransom payments; incident response costs; liability covering the cost of claims and technology errors arising from third parties.

Other after-effects include reduced productivity and consumption, IT clean-up costs, and supply chain disruption.

Trevor Maynard, head of innovation at Lloyd’s, said: “This report shows the increasing risk to businesses from cyber attacks as the global economy becomes more interconnected and reliant on technology.

“Companies must ensure they are better prepared for ransomware attacks, and that includes working with insurers to reduce the risks before they are attacked and ensure they have the right insurance cover in place to respond after the event - the reality for business is it’s not if you get attacked but when.”

Andrew Coburn, chief scientist at the Cambridge Centre for Risk Studies, said: “This report is intended to deepen the understanding of cyber risk liability and aggregation risk in the portfolios of insurers - we hope that this contribution will help improve the understanding of cyber risk and lead to better resilience to attacks like these in the future.”

Share Story: