Simultaneous attacks on multiple organizations are likely in 2017, according to an AIG report.
"Is cyber risk systemic?"
That's the question that was posed to experts in a new American International Group (AIG) report, and if recent events are any indication, the answer is yes.
The United Kingdom's National Health Service was crippled this month when a global ransomware attack—dubbed "WannaCry"—forced appointments and operations to be cancelled, hospitals to disconnect from email, IT systems to be shut off, and some facilities to turn patients away.
The cyberattack didn't target NHS directly, but still wreaked havoc, exploiting a vulnerability in Microsoft Windows. As result of this vulnerability, hundreds of thousands of computers in countries around the world were infected.
That's the kind of cyberattack AIG predicted in its report, which says that cyber risk is systemic and that simultaneous attacks on multiple organizations are likely in 2017.
The survey, which polled cybersecurity, technology, and insurance professionals in the United States, the United Kingdom, and Continental Europe, found that more than half of survey respondents said a simultaneous attack on five to 10 companies is highly likely in the next year.
More than one-third estimated the likelihood of a simultaneous attack on as many as 50 companies at greater than 50%. Some even predicted that as many as 100 companies could be attacked.
Judging by the WannaCry attack, experts on the high end of the predictions got it right.
According to media reports, as many as 40 organizations around the world were affected by the ransomware, and many of those are huge umbrella organizations for a number of others, such as NHS of England and Scotland and state governments in India.
"While data breaches and cyber-related attacks have become more prevalent for individual businesses, concern about systemic cyberattacks are on the minds of those in the very community dedicated to analyzing and preventing this threat," Tracie Grella, Global Head of Cyber Risk Insurance at AIG, said in a statement.
The AIG report also identified which industries it believes are most vulnerable to cyberattack. The healthcare industry was No. 4 in their top five.
The NHS spent many days updating and assisting its facilities, doctors, and patients who were affected by the attack. As of May 16—four days after the attack hit—two hospitals were still diverting patients.
NHS said it had been "working with 47 organisations providing urgent and emergency care who have been infected to varying degrees."
NHS also produced guidance for its organizations, which includes an explanation of patches and a technical guide to protect against cyberattacks, responses to FAQs about the attack, technical guidance on reconnecting to networks after the precautionary disconnection, and a confirmation that it is now safe to connect.
It also appears that for NHS facilities, the attack could have been prevented. In a statement reported by multiple media outlets, NHS Digital said that it had issued a targeted update to NHS staff in late April that included a patch to protect their systems.
Alexandra Wilson Pecci is an editor for HealthLeaders.
