The economic consequences of coordinated cyber-attacks

Cyberattacks are a persistent threat globally, for governments, companies, and individuals alike. Public acknowledgment of a breach typically carries significant reputational damage in addition to losses from stolen data and intellectual property, damaged systems. As a result, many of these events can fly under the radar.

Research suggests that the number of cyberattacks increased from 2021 to 2022. The Voice of the Enterprise (VotE): Information Security study on endpoint security reflects this escalation in the number of ransomware attacks, with 18% of survey respondents reporting a ransomware attack against their enterprise in the last 12 months, considerably up from the approximately 10% that reported the same for the prior three years. Furthermore, the US Treasury Department reported a loss of $1.2 billion to US financial institutions in 2021, almost tripling its 2020 level of $416 million.

The impact on private sector companies is hard to underestimate. The 2022 VotE: Information Security, Endpoint Security study split a survey sample by those security leaders and professionals who reported experiencing a ransomware event and those who had not. The first group was asked how they responded to the event and potential outcomes, and the second group was asked how they would most likely respond. The most pronounced difference was that only 7% of those who had not experienced a ransomware event say they would pay a ransom, where in reality 22% of victims did pay. By comparison, in 2018, only 2% of survey respondents reported paying.

The world's seaports are one of the global economy's principal vulnerabilities as they can act as enablers of shocks that may spread globally.

The Port of Los Angeles, the busiest port in the Western hemisphere, experiences an average of 40 million cyber-attacks a month — almost double the attacks experienced before the COVID-19 pandemic. To counter this, it created the Cyber Resilience Center to coordinate its cyber defense along with the FBI.

In Europe, ransomware attacks on ports and terminals in Germany, Belgium, and Netherlands in January and February 2022 brought further light to the risks of further supply chain disruptions if multiple hubs are disrupted simultaneously.

A case of a small economy being targeted by subsequent ransomware attacks is Costa Rica, which was first attacked in April 2022 then again in May 2022, impacting 27 government ministries and leading to significant disruptions in its import/export flows with estimated losses of US $38 million a day. It took 10 days to implement a manual system of paper and pen that, when put into place, was significantly more burdensome and continued to cause delays and losses months after the initial attack.

Whether in a big or small economy, disruptions to ports from a cyberattack unavoidably add pressure to prices, snarling supply chains and increasing recessionary risks. In such a scenario, inflation would continue to disrupt food and agricultural supply chains while energy prices soar as the conflict in Ukraine drags on.

Owing to this, we developed a hypothesized coordinated ransomware cyberattack scenario leading to the shutdown of key seaport infrastructure across the world in order to understand the economic impact of such a large-scale attack. We focused the exercise across countries and commodities contained in the Global Link Model.

Three scenarios were developed to reflect different intensities in the ransomware-triggered disruptions based on two types of shocks. The first shock was to the flow of merchandise that either entered or exited a country through the ports attacked, while the second impacted international commodity prices.

The GLM was run to examine the economic impact on countries' principal macroeconomic assumptions. In the Severe Scenario, global GDP would be 0.7% lower than in the baseline in the first quarter of the shock, and 1.7% lower in the second quarter (0.3% contraction YoY), when the transmission mechanisms through inflation are completely activated. In the first quarter of the shock, global CPI inflation would edge more than 1% higher than in the baseline.

Asia-Pacific economies would be the fastest to recover from that shock. Non-attacked commodity exporters would limit their losses and recover quickly as they gain market shares. On aggregate, Asia-Pacific would be the only region that would experience a quick real GDP recovery, at the end of 2023, whilst the others would do so at different rates by the end of the decade.

European CPI inflation would be consistently 1.2-1.8% higher than in the baseline, making the region the second-most impacted after Sub-Saharan Africa for that phenomenon.

Among the geographies not targeted by cyber-attacks, Taiwan (-4.3% of exports in the first quarter, relative to baseline) and Mexico (-3.3%) would lose the most export revenues, in their case from a reduced import demand from Mainland China and the US respectively.

The US dollar would lose around 3% versus its trading partners at the onset of the shock, whilst the renminbi would lose more than 4% (but recover after only one quarter). At the other end of the spectrum, the biggest winners would be Saudi Arabia (+17.1%), Norway (+12.9%), Mexico (+12.7%) and Colombia (+10.2%).

Unemployment would increase the most in the US, where the unemployment rate would spike to 5.7% in the first quarter, compared to 3.6% in the baseline, a loss equivalent to 3.1 million jobs. Singapore would lose more than 57% of its industrial production as its infrastructure gets attacked before recovering it completely on the next quarter, albeit it would recover quickly.

The world will have lost a total of 2,884 billion USD (in real terms) worth of investment in 5 years.

These results are, of course, conditioned on the profile of the cyber-attack assumed to have taken place. If desired, further iterations of the scenario can accommodate more ad-hoc, market-centered, assumptions on what cyber-attacks could look like.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.