WannaCry ransomware attacks could cost companies well over $81 billion
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
July 18, 2017
A recent study that aims at raising the profile of cyber insurance claims that cloud outages and various ransomware outbreaks on the WannaCry scale reveals that it could cost companies well over $81 billion-- a lot more than natural disasters like 2012's Hurricane Sandy or 2005's Katrina.
But how did the authors arrive at these numbers? Cyence, a cyber-risk analytics platform, and Lloyd's of London, the world's largest insurance company, said they collaborated with a team of economic modellers and experts from the cybersecurity and cyber insurance industries in the hope that their findings will move the industry toward a standardised approach of measuring cyber risk.
The study accounted for everything from commonly adopted technologies used across industries to non-technical factors that vary widely like people and processes.
Also, underwriters from the Lloyd's Market Association participated in a series of workshops to provide various feedback and identify the direct implications for the emerging cyber insurance industry.
Cyence asserts that global losses from WannaCrypt will come out at over $82 billion compared to just $850 million from the NotPetya ransomware. Both outbreaks were enormously disruptive.
Considering that NotPetya also affected shipping giant Maersk and U.S. couriers FedEx, losses of $850 million look mild while the WannaCry figures appear inflated. "I don't think there were more than 1 million computers infected so this would mean an average cost of more than $8,000 per infected PC," said Martin Grooten?, editor of industry journal Virus Bulletin.
"Even with a long list of infections that cost a lot, I find this figure rather implausible," he said.
In May, Cyence reportedly pegged WannaCry losses at about $4 billion, an estimate that had doubled by the end of May. Cyence itself suggested (with some confusion) that NotPetya might be bigger than WannaCry in the immediate aftermath of the attack two weeks ago.
To be honest, estimating cyber losses is a very inexact science. How can anyone accurately assess the global cost of cyber disruptions when even individual victims are unsure about the losses? The best you are going to get is an educated guesstimate. Some experts argue it would be better for individual companies to focus on their own risk assessment.
David Emm, principal security researcher at Kaspersky Lab commented-- "These are big numbers, but they don't mean much unless terms such as 'serious cyber attack' are quantified. How can we assess the global cost of an attack? It could mean anything from a temporary interruption of service to the takeover of customer systems, all with very different costs in and by themselves.
To be sure, Cyence and Lloyd's said the study was "designed to deepen insurers' and risk managers' understanding of cyber risk exposure to improve portfolio exposure management, set appropriate limits and expand confidently into this quickly growing line of insurance".
Taken separately, Lloyd's estimates the global cyber risk market is worth only between $3 to 3.5 billion.
Protection against all threats isn't a realistic goal so more knowledgeable businesses are adopting a risk-mitigation approach in developing incident response capability as well as taking out cyber insurance protection.
The report ran the numbers on two devastating cyber calamities so far. In the first scenario, a group of "hacktivists" set out to disrupt cloud service providers' infrastructure to draw attention to the environmental impacts of cloud-based businesses.
The group inserts a malicious modification to an infrastructure's central coding system that can be exploited to trigger system-wide failures, leading to widespread service and business interruption. Cyence estimated global losses from such an event at about $53 billion in just two to three days.
In the second case, human error causes a zero-day vulnerability in widely used software to leak. Details are purchased on the dark web by criminals who develop exploits and target vulnerable businesses for financial gain.
Cyence estimates losses from such an attack could work out at over $28 billion. Only a small portion of these losses are currently insured, Cyence asserted. In the cloud services scenario, less than 20 percent would be covered, while less than 10 percent of the losses in the mass security vulnerability scenario would be covered.
Source: Cyence LLP.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.