In a globally interconnected world, in which supply chains extend across both countries and continents, it only makes sense to consider the potential risks to those supply chains from a massive cyber attack. What happens, for example, if malicious threat actors decide to launch a cyber attack against the maritime ports of the Asia-Pacific region, which is home to 9 of the world’s top 10 container ports? Insurance company Lloyd’s of London, in partnership with the University of Cambridge Centre for Risk Studies and the Cyber Risk Management (CyRiM) project at Singapore’s Nanyang Technological University, has simulated such a theoretical attack, and projected that the cost of cyber attack could reach $110 billion in a worst-case scenario.
Cyber catastrophes vs. natural catastrophes
To put that figure into context, $110 billion is approximately one-half of the insured losses due to natural catastrophes in 2018. Last year, 394 different natural catastrophes around the world resulted in over $225 billion in insured losses. A single cyber attack has the potential to wreak a similar amount of damage, says Lloyd’s of London, which also points to the high rates of underinsurance in the Asia-Pacific region. The logic is clear: maritime port cities in the Asia-Pacific region need to take the threat of a cyber catastrophe just as seriously as they would take the risk of a natural catastrophe (such as a deadly typhoon).
And, yet, the region is dangerously underinsured for such a reality. Lloyd’s has crunched the numbers and found that 92% of all losses resulting from a cyber attack would not be insured. Using the $110 billion cost of cyber attack as a baseline, Lloyd’s has calculated that the “insurance gap” in the region is close to $101 billion. (Obviously, Lloyd’s of London would be one of the insurance giants that firms in the region might call on to address these high levels of underinsurance.)
The Shen cyber attack scenario
In coming up with the $110 billion cost of cyber attack, the researchers modeled three different scenarios – a base-case scenario, a best-case scenario and a worst-case scenario. The $110 billion cost of cyber attack represents an “extreme” worst-case scenario. The researchers referred to this as the Shen attack scenario.
In such a scenario, a software virus would infect 15 major ports across 5 different Asian markets: Singapore, South Korea, China, Japan and Malaysia. A virus affecting the computer systems of cargo transport ships would spread to the computer networks of these major port cities. The malware would scramble cargo database logs and cause all sorts of chaos. This would lead to major disruptions in not just the delivery of cargo to the ports, but also disruptions to the supply chains that are waiting to take all this valuable cargo and send it around the world.
Given the global nature of modern supply chains, a disruption in the all-important Asia-Pacific market would be felt around the world, as a sort of ripple effect. According to the researchers, Singapore’s transport sector would take the biggest hit, followed by the transport sector in South Korea. However, effects would be felt as far away as Europe and North America, further adding to the overall cost of cyber attack.
Calculating the cost of cyber attack
In deriving the cost of cyber attack, the researchers calculated the cost of cyber attack by region, by economic sector, and by stage along the supply chain. For obvious reasons, the transportation, aviation and aerospace sectors would take the biggest hit ($28.2 billion), followed by the manufacturing sector ($23.6 billion) and the retail sector ($18.5 billion). In terms of supply chain losses, the report estimates that port operators would be responsible for half of all insurance claims, followed by businesses along the supply chain (21%) and logistics and cargo handling companies (16%).
The longer any cargo gets tied up in the Asia-Pacific port cities, the worse will be the impact on each of these sectors. To model this risk, the researchers considered the “indirect” cost of cyber attack, as measured by losses in productivity and losses in bilateral trade. In practical terms, it means that a manufacturer urgently waiting for a supply of parts would experience a slowdown (or perhaps shutdown) in operations. And retailers waiting for finished manufactured goods would also be put into wait-and-see mode, as they might need to consider alternate supply sources. In Asia, these indirect economic losses would be close to $27 billion. In Europe, these indirect losses would be close to $623 million, while in North America, losses would be in the neighborhood of $266 million.
Preparing for cyber attack
Of course, the Shen attack scenario outlined in the report only represents an estimated cost of cyber attack. To this date, such a massive attack has never taken place. However, as Lloyd’s of London points out, there are two critical factors that must be taken into account: the world’s aging shipping infrastructure (which is more vulnerable to attack than ever before) and the global complex supply chain (which vastly complicates the impact of any cyber attack).
Also, with more technology and more automation comes more risk. The increasing application of technology comes with both costs and benefits. Seafaring ships from a hundred years ago did not have to deal with computer systems onboard, but today’s ships do. And major shipping management companies now invest in expensive port management software. That makes them a potential weak point that is vulnerable to hackers.
There are a variety of steps that companies can take to prepare for a cyber attack. One of these, of course, is to purchase an insurance policy that insulates them from the cost of cyber attack. (Since Lloyd’s of London co-wrote the report, you can presume that this is a preferable outcome) Another step, though, is to invest in new technologies and tools that are designed to protect assets from the risk of cyber attack in the first place.
Cyber risk, as Lloyd’s of London correctly points out, is a “critical and complex challenge.” As a result, those on the front lines of a potential cyber attack – such as port operators and logistics firms – should be taking steps now to protect themselves from a destructive cyber attack in the future.