Filed Under:Risk Management, Cybersecurity

Mega-Cyber Attacks in the Cards?

Financial services companies are most vulnerable, says AIG survey

In the nightmare scenario of a corporate cyber attack, the victim is not just one bank or power supply company but many attacked at the same time — and it could happen as early as this year, according to a new study from AIG.

Nine in 10 global cybersecurity and risk experts surveyed by AIG believe that cyber risk is systemic, and more than half said a systemic cyber attack on five to 10 companies is highly likely this year. More than one-third gave almost even odds of an attack on as many as 50 companies this year, and 20% gave similar odds for an attack on as many as 100 companies simultaneously.

Concern about Systemic Cyber Attacks

“While data breaches and cyber-related attacks have become more prevalent for individual businesses, concern about systemic cyber attacks are on the minds of those in the very community dedicated to analyzing and preventing this threat,” said Tracie Grella, global head of cyber risk insurance at AIG.

Financial services was ranked as the industry most vulnerable to a systemic attack (19%) in the next 12 months followed by power/energy (15%), telecommunications/utilities (14%), health care (13%) and information technology (12%), according to the survey.

When asked more specifically about systemic cyber attack scenarios in the next 12 months, respondents gave top rankings to a simultaneous attack of 15 financial services firms that cuts off service (known as a distributed denial of service, or DDoS attack) and a simultaneous mass data theft of 10 health care companies (hospitals, pharmacies and insurers) due to flaws in electronic medical records software. On a scoring of 1 to 10 with 1 being the most likely, both received a 4.1 rating, suggesting better than even odds (59.9%) of an event happening this year.

An attack on a large cloud provider was seen as the most likely multi-industry attack over the next 12 months.

Worst Case: Cyber War

Although those scenarios are very serious, they’re not even considered the worst case by survey respondents. Their worst case scenarios were cyber war games, leading to conventional battles between nation-states; a power grid attack during times of systemic stress, affecting a large population; and an attack on telecommunications and utilities infrastructure, impacting essential services.

In a recent Harvard Business Review article, MIT Professor Stuart Madnick, the academic director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, wrote, “The scenario of losing power for a long time — weeks or even months — is not unthinkable.” But for that and other systemic cyber attacks to occur, three conditions must be met, according to Madnick: opportunity, capability and motivation. There is currently plenty of opportunity and capability, but motivation is limited because the possibility of retaliation acts as a deterrent, wrote Madnick.

Still, he recommends, “systems-level thinking about how everything is connected. … Hospitals might have backup generators, but what about the supply line for refueling … the refueling stations need electricity to operate pumps, what is the plan? We need innovative, systems-level thinking — and a sense of urgency — to mitigate the impact of a major cyber attack. And we need it now.”

AIG, which sells insurance products for businesses and individuals to protect against cyber attacks, notes that “defenses must keep pace as cyber threats continue to advance and expand” and should include investments in security software and hardware, careful vetting of vendors and training on security practices, and insurance to mitigate the impact of cyber attacks.

Related

5 key takeaways from NTT Security's 2017 Global Threat Intelligence Report

NTT Security's 2017 Global Threat Intelligence Report aims to provide a long-term strategy for keeping data safe.

Featured Video

Most Recent Videos

Video Library ››

Top Story

What if Hurricane Andrew happened today?

A new report from Swiss Re postulates what the insured losses would be if a storm like 1992’s Hurricane Andrew were to barrel through South Florida in 2017.

Top Story

9 solar eclipse safety tips & risk concerns you need to know for Aug. 21

An estimated 500 million people across North America will be impacted as the moon passes between the sun and Earth in the 70-mile wide path of the total eclipse on Aug. 21, 2017.

More Resources

Comments

eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.