New Lloyd’s Report: Global Infection by Contagious Malware

What if a malware event went global? I mean really global, as in much further than previous malware attacks, such as the WannaCry Ransomware in 2017. Thankfully that bug failed to live up to its potential.

IT professionals strive to defend our business, we are pressured to act and not necessarily worry about how, or why we were infected, even less if we sent the bug to someone else. Let’s be frank, the odds are that the next major malware event is likely to come from a third party that you do business with, and rely on.

So when a new report by Lloyd’s: ‘Bashe attack: Global infection by contagious malware’ dropped into my in-box, I was curious to find out what they had learnt from the exercise.

It is the first of two joint reports produced by the Cyber Risk Management (CyRiM) project led by Nanyang Technological University, in collaboration with Lloyd’s - the specialist insurance and reinsurance market.

The report models an attack that spreads across the world in minutes through a hypothetical scenario in which hundreds of thousands of companies devices are infected by ransomware. The authors also explore what the impacts would be on businesses and the insurance sector.

The severity of malware attacks

According to the scenario authors: “The malware enters company networks through a malicious email, which, once opened, encrypts all the data on every device connected to the network. The email is forwarded to all contacts automatically to infect the greatest number of devices. Companies of all sizes and in all sectors are forced to pay a ransom to decrypt their data or to replace their infected devices.”

The impact damage ranges from between $85 billion (in the least severe scenario variant, S1) to $193 billion (in the most severe scenario variant, X1).

In the S1 scenario, retail suffers the highest total economic loss globally ($15 billion), followed by healthcare ($10 billion) and manufacturing ($9 billion). In X1 retail and healthcare would be the most affected ($25 billion each), followed by manufacturing ($24 billion).

Who are most vulnerable?

As an IT business resilience specialist I was interested, though not particularly surprised to read that it is in retail, where the malware’s encryption of payment systems in traditional retail outlets causes a significant decline in sales revenue.
Ditto the news that healthcare is impacted due to the malware’s penetration of legacy systems on old healthcare IT equipment.

The history of Cyber disasters is littered with examples of healthcare providers succumbing to attacks. They are a good target as funding and IT focus means they often have more lax standards around Information Security, and rarely have a recovery plan. As anyone at Fifth Step can tell you, these are fiendishly difficult to clean up and patch. Replacing these systems can also be labour intensive and costly. Healthcare has always been vulnerable to infection because their legacy IT infrastructure systems are more vulnerable to malware, and low IT investment. This is a direct result of sweating assets and poor control around system updates and patching.

Financial Services at the biggest risk

The report also says that manufacturing sector suffers significant revenue loss because the malware encrypts manufacturing equipment, which halts production. In terms of location, the region with the highest total economic loss is the US, followed by Europe, Asia, and the Rest of the World.

The reports explains: “The scenario shows that during and after such an attack insurance claims would be made for Business Interruption, Contingent Business Interruption, Cyber Extortion, Incident Response Costs, Personal Cyber along with Liability. The total estimated claims paid by the insurance industry in this scenario range from $10 billion in S1 to $27 billion in X1 (where the loss of data from the malware triggers additional claims of data and software loss).

“A comparison of the insurance losses with the total economic losses and the 2019 estimated total global cyber insurance premium puts these losses in context. Comparing the insurance loss estimates to the economic losses shows insurance industry losses are between 9% and 14% of the total economic loss, which shows there are high levels of underinsurance for this type of cyber- attack.”

More specifically, as an IT professional, the report struck a cord when it observed that companies are directly impacted by Ransomware attacks in sectors, which are highly dependent on connected and IT devices for revenue. The Business Interruption loss could be due to the unavailability of IT systems or data, which in today’s GDPR world, could result in even larger loss of profits and extra expense. Then there would be the data and software loss for reconstituting encrypted and wiped data. 


Operational Resilience is key

Incident response costs are also highlighted as an issue. As my colleague Darren Wray has written in the past (NIST Incident Response and Cover Phases blog) the NIST Cyber Framework is a good guide to Recovery in the wake of a cyber incident. According to NIST the “Recover” phase should develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber security event. Incident response plans (IRP) are increasingly mentioned and required by regulators, while Lloyd’s Minimum Standards also have them in their sights.

The report also mentions companies that are indirectly affected - those companies not 
affected by the ransomware attack but are impacted by third-party IT failure and supply chain disruption, which should be a major source of concern for IT departments. If vendor management is the potential weak link in your digital supply chain then this short Know Your Vendor (KYC) Fifth Step YouTube video offers some answers to an IT leader’s questions on this subject. In a nutshell, however, Know Your Vendor – effectively managing supply chain risk - starts with knowing who is in your extended vendor network.

To be assured, Insure

The report explains that having an effective response capability to contagious malware is a key part of business operations and working more closely with insurance companies to develop cyber defence strategies.

There are also lessons for the insurance sector, as the report also highlights potential insurance policy, legal, and aggregation issues in cyber insurance offerings. Insurers should make explicit allowance for aggregating cyber-related catastrophes. To achieve this, data collection and quality is important, especially as cyber risks are constantly changing.
I will leave the last words to the report’s final conclusion: “The expansion of the cyber insurance market is both necessary and inevitable. Scenarios such as the ‘Bashe Attack’ help insurers expand their view of cyber risks ahead of the next event and help them create new products and services that make businesses and communities more resilient.”