In the nightmare scenario of a corporate cyber attack, the victim is not just one bank or power supply company but many attacked at the same time — and it could happen as early as this year, according to a new study from AIG.
Nine in 10 global cybersecurity and risk experts surveyed by AIG believe that cyber risk is systemic, and more than half said a systemic cyber attack on five to 10 companies is highly likely this year. More than one-third gave almost even odds of an attack on as many as 50 companies this year, and 20% gave similar odds for an attack on as many as 100 companies simultaneously.
Concern about Systemic Cyber Attacks
“While data breaches and cyber-related attacks have become more prevalent for individual businesses, concern about systemic cyber attacks are on the minds of those in the very community dedicated to analyzing and preventing this threat,” said Tracie Grella, global head of cyber risk insurance at AIG.
Financial services was ranked as the industry most vulnerable to a systemic attack (19%) in the next 12 months followed by power/energy (15%), telecommunications/utilities (14%), health care (13%) and information technology (12%), according to the survey.
When asked more specifically about systemic cyber attack scenarios in the next 12 months, respondents gave top rankings to a simultaneous attack of 15 financial services firms that cuts off service (known as a distributed denial of service, or DDoS attack) and a simultaneous mass data theft of 10 health care companies (hospitals, pharmacies and insurers) due to flaws in electronic medical records software. On a scoring of 1 to 10 with 1 being the most likely, both received a 4.1 rating, suggesting better than even odds (59.9%) of an event happening this year.
An attack on a large cloud provider was seen as the most likely multi-industry attack over the next 12 months.
Worst Case: Cyber War
Although those scenarios are very serious, they’re not even considered the worst case by survey respondents. Their worst case scenarios were cyber war games, leading to conventional battles between nation-states; a power grid attack during times of systemic stress, affecting a large population; and an attack on telecommunications and utilities infrastructure, impacting essential services.
In a recent Harvard Business Review article, MIT Professor Stuart Madnick, the academic director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, wrote, “The scenario of losing power for a long time — weeks or even months — is not unthinkable.” But for that and other systemic cyber attacks to occur, three conditions must be met, according to Madnick: opportunity, capability and motivation. There is currently plenty of opportunity and capability, but motivation is limited because the possibility of retaliation acts as a deterrent, wrote Madnick.
Still, he recommends, “systems-level thinking about how everything is connected. … Hospitals might have backup generators, but what about the supply line for refueling … the refueling stations need electricity to operate pumps, what is the plan? We need innovative, systems-level thinking — and a sense of urgency — to mitigate the impact of a major cyber attack. And we need it now.”
AIG, which sells insurance products for businesses and individuals to protect against cyber attacks, notes that “defenses must keep pace as cyber threats continue to advance and expand” and should include investments in security software and hardware, careful vetting of vendors and training on security practices, and insurance to mitigate the impact of cyber attacks.