On October 29, the global insurance market Lloyd’s announced that the University of Cambridge Centre for Risk Studies released a report showing that a single attack on major ports across the Asia-Pacific region “could cost $110 billion, which is roughly equivalent to half of all losses from natural catastrophes globally in 2018.” The Centre produced the report – titled “Shen attack: Cyber risk in Asia Pacific ports” — on behalf of the Cyber Risk Management (CyRiM) project, a Singapore-based public-private initiative that assesses cyber risks of which Lloyd’s is a founding member.
The report was based on a hypothetical scenario in which a computer virus infects 15 ports across Japan, Malaysia, Singapore, South Korea and China.” Such a cyberattack, the report stated,
via a computer virus carried by ships could scramble the cargo database records at major ports and lead to severe disruption . . . . Although the virus only directly affects ports in Asia-Pacific, economic losses would be felt around the world due to the global interconnectivity of the maritime supply chain.
An attack of this scale targeted at ports would cause substantial economic damage to a wide range of businesses through reduced productivity and consumption, incident response costs, and supply chain disruption.
The report also estimated two categories of losses:
- The transportation, aviation, and aerospace sectors would be the most affected (with total economic losses of $28.2 billion), followed by the manufacturing and retail sectors (with total losses of $23.6 billion and $18.5 billion, respectively).
- “Productivity losses would affect each country that has bilateral trade with the attacked ports.” Asia would be the worst affected region (with total indirect losses of up to $27 billion), followed by Europe (indirect losses of $623 million) and North America ($266 million).
Other key findings in the report included the following:
- “The transportation sector in Singapore would take the biggest economic hit, followed by the same sector in South Korea.
- “‘Business interruption’ and ‘contingent business interruption’ insurance coverages would be the main drivers of the insured losses (60% of the loss in the most extreme version of the scenario).”
- “Non-affirmative cyber, meaning cyber risk that is not explicitly mentioned in an insurance policy, would account for up to 57% of the total insured losses.”
- “Insurance claims would arise from port operators (50% of insured losses), companies along the supply chain (21% of insured losses), and logistics and cargo handling companies (16% of insured losses).”
- “There are opportunities for insurers and policyholders to expand their view of cyber risks ahead of the next event and the report helps to inform in a way to support new products, services and mitigation strategies that make businesses and communities more resilient.”
Finally, the report made clear that “the global economy is underprepared for such an attack, as 92 percent of the total economic costs would be uninsured, leaving an insurance gap of $101 billion.
N.B.: While Lloyd’s termed the report’s scenario “an extreme scenario,” the number of instances over the last decade in which state actors or surrogates thereof have carried our devastating cyberattacks suggest that the scenario is, regrettably, entirely plausible. Information-security, strategic-risk, and political-risk teams at companies doing business in the Asia-Pacific region should take the time to read the complete report, and to use its findings as a basis for reviewing the adequacy of their firms’ current cyber-risk insurance coverage.