In the nightmare scenario of a corporate cyberattack, the victim is not justone bank or power supply company but many attacked at thesame time, and it could happen as early as this year, according toa new study from AIG.

Nine in 10 global cybersecurity and risk experts surveyed by AIGbelieve that cyber risk is systemic, and more than half saida systemic cyberattack on five to 10 companies is highly likelythis year. More than one-third gave almost even odds of an attackon as many as 50 companies this year, and 20 percent gave similarodds for an attack on as many as 100 companies simultaneously.

Concern about systemic cyberattacks

"While data breaches and cyber-related attacks have become moreprevalent for individual businesses, concern about systemiccyberattacks are on the minds of those in the very communitydedicated to analyzing and preventing this threat," said TracieGrella, global head of cyber risk insurance at AIG.

Financial services was ranked as the industrymost vulnerable to a systemic attack (19 percent) in the next 12months followed by power/energy (15 percent),telecommunications/utilities (14 percent),health care (13 percent) and informationtechnology (12 percent), according to the survey.

When asked more specifically about systemic cyberattackscenarios in the next 12 months, respondents gave top rankings to asimultaneous attack of 15 financial services firms that cuts offservice (known as a distributed denial of service, or DDoS attack)and a simultaneous mass data theft of 10 health care companies(hospitals, pharmacies, insurers) due to flaws in electronicmedical records software. On a scoring of 1-10 with 1 being themost likely, both received a 4.1 rating, suggesting better thaneven odds (59.9 percent) of happening this year.

An attack on a large cloud provider was seen as the most likelymulti-industry attack over the next 12 months.

Worst case: cyber war

While those scenarios are very serious, they are not consideredthe worst case by survey respondents. Their worst case scenarioswere cyber war games, leading to conventional battles betweennation-states; a power grid attack during times of systemic stress,affecting a large population; and an attack on telecommunicationsand utilities infrastructure, impacting essential services.

In a recent Harvard Business Review article, MIT Professor Stuart Madnick,the academic director of the MIT Interdisciplinary Consortium forImproving Critical Infrastructure Cybersecurity, wrote, "Thescenario of losing power for a long time — weeks or evenmonths — is not unthinkable." But in order for that andother systemic cyberattacks to occur, three conditions must be met,according to Madnick: opportunity, capability and motivation. Thereis currently plenty of opportunity and capability but motivation islimited because of the possibility of retaliation acts as adeterrent, wrote Madnick.

Innovative thinking needed to mitigate impact of majorcyberattack

Still, he recommends "systems-level thinking about howeverything is connected … Hospitals might have backup generators,but what about the supply line for refueling … the refuelingstations need electricity to operate pumps, what is the plan? Weneed innovative, systems-level thinking — and a sense ofurgency — to mitigate the impact of a majorcyberattack. And we need it now."

Related: Cyber crime fears drive up demand for anti-hackerinsurance

AIG, which sells insurance products for businesses andindividuals to protect against cyberattacks, notes that "defensesmust keep pace as cyber threats continue to advance and expand" andshould include investments in security software and hardware,careful vetting of vendors and training on security practices, andinsurance to mitigate impact the impact ofcyberattacks.