Simultaneous cyberattacks on multiple companies likely in 2017, financial services industry key concern: AIG study

Nine in 10 global cybersecurity and risk experts believe that cyber risk is systemic and that simultaneous attacks on multiple companies are likely in 2017, according to a study issued on Wednesday by global insurer American International Group, Inc (AIG).

The survey found that industries most likely to face a systemic attack include financial services (19%), power/energy (15%), telecommunications/utilities (14%), healthcare (13%) and information technology (12%). For the survey, AIG polled 70 cybersecurity, technology and insurance professionals focused on cyber risk in the United States, United Kingdom and continental Europe to gain a deeper understanding of their views on the likelihood and impact of a systemic cyberattack.

“While the sample is small, it does represent a substantial set of key thought leaders and risk management experts in the cyber risk and cyber insurance fields,” AIG said in a press release. Recipients included chief information security officers, technology experts and forensic investigators as well as cyber researchers, academics, insurance brokers, underwriters and risk modellers.

According to the survey, more than half of survey respondents said that a “simultaneous attack on five to 10 companies is highly likely in the next year.” More than one-third of respondents estimated the likelihood of a simultaneous attack on as many as 50 companies at greater than 50%. Twenty per cent saw an even greater threat, predicting a “better than even” chance that as many as 100 companies will be attacked.

“While data breaches and cyber related attacks have become more prevalent for individual businesses, concern about systemic cyberattacks are on the minds of those in the very community dedicated to analyzing and preventing this threat,” Tracie Grella, global head of cyber risk insurance with AIG said in the release.

For the industries most likely to experience a systemic attack (financial services, power/energy, telecommunications/utilities, healthcare and information technology), financial networks or transaction systems, Internet infrastructure, the power grid and the healthcare system would be vulnerable in attacks. IT companies, including software and hardware providers that support the backbone of the digital economy, were also seen as particularly susceptible, AIG reported.

“Our highly-networked economy relies on secure, expedient and constant data flow and electronic communication,” Grella said in the release. “Disruptions to the flow and security of data can have cascading impacts and negatively impact institutions that rely on such data.”

Asked to rank specific scenarios, respondents selected a mass distributed DDoS attack on a major cloud provider as the most likely “cross-sector mega event.” For data theft or destruction scenarios, flaws in hardware or software widely used by the industry are most concerning.

The top three likely scenarios selected by experts are:

• Financial Services – 15 companies breached; mass business interruption; mass DDoS coordinated against financial institutions;
• Healthcare – 10 companies breached; (for example, hospital, pharmacy and insurer); mass data theft; flaw in commonly used electronic medical record software; and
• Retail/hospitality – 25 companies breached; mass data theft; flaw in widely used payment processing software/hardware.

The worst-case-scenarios that were of greatest concern, according to AIG, include:

• Cyber “cat-and-mouse war games,” retaliation, and escalation to conventional battle between prominent nation states;
• A power grid attack during times of system stress with widespread impact on the population; and
• A significant attack on telecommunications and utilities infrastructure that has a widespread impact on essential services.