Data security disruptions can have cascading negative impacts

Nine in 10 global cybersecurity and risk experts believe that cyber risk is systemic and that simultaneous attacks on multiple companies are likely in 2017, according to AIG.

More than half of survey respondents say a simultaneous attack on five to 10 companies is highly likely in the next year. More than one-third estimate the likelihood of a simultaneous attack on as many as 50 companies at greater than 50 percent. Twenty percent see an even greater threat, predicting a better than even chance that as many as 100 companies will be attacked.

“While data breaches and cyber related attacks have become more prevalent for individual businesses, concern about systemic cyber-attacks are on the minds of those in the very community dedicated to analyzing and preventing this threat,” said Tracie Grella, Global Head of Cyber Risk Insurance, AIG.

Industries under attack

The leading industries identified by experts as most likely to experience a systemic attack this year are:

• Financial Services (19 percent)
• Power/Energy (15 percent)
• Telecommunications/Utilities (14 percent)
• Healthcare (13 percent)
• Information Technology (12 percent).

Financial networks or transaction systems, internet infrastructure, the power grid, and the healthcare system would be vulnerable in attacks on these industries. Information technology companies, including software and hardware providers that support the backbone of the digital economy, were also seen as particularly susceptible.

“Our highly-networked economy relies on secure, expedient, and constant data flow and electronic communication,” said Ms. Grella. “Disruptions to the flow and security of data can have cascading impacts and negatively impact institutions that rely on such data.”

Specific scenarios

Asked to rank specific scenarios, respondents selected a mass distributed DDoS attack on a major cloud provider as the most likely cross-sector mega event. For data theft or destruction scenarios, flaws in hardware or software widely used by the industry are most concerning.

The top three likely scenarios selected by experts are:

Financial services. 15 companies breached. Mass business interruption. Mass DDoS coordinated against financial institutions.

Healthcare. 10 companies breached (e.g., hospital, pharmacy, insurer). Mass data theft. Flaw in commonly used electronic medical record software.

Retail/hospitality. 25 companies breached. Mass data theft. Flaw in widely used payment processing software/hardware.

The worst-case-scenarios that were of greatest concern include:

• Cyber cat-and-mouse war games, retaliation, and escalation to conventional battle between prominent nation states.
• A power grid attack during times of system stress with widespread impact on the population.
• A significant attack on telecommunications and utilities infrastructure that has a widespread impact on essential services.