Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, what the estimated cost to the public purse was of the WannaCry cyber attack in 2017.

It is not possible to estimate the cost to the public purse of the WannaCry cyber incident as no data was collecting during the incident on the cost of recovering data and IT systems or the cost on disruption to patient care. To determine the cost to the public purse would require collecting data from all organisations which itself would impose a disproportionate financial burden on them.

The WannaCry attack was unprecedented in terms of scale and disruption affecting systems internationally international including several within the NHS infrastructure who fell victim due to basic vulnerabilities in their cyber defences.

In their October 2018 publication on “Securing cyber resilience in health and care: a progress update”, the DHSC estimated the cost of WannaCry to the NHS being £92 million. The DHSC used a variety of factors (average number of NHS trusts involved) and categories (direct and resource) to estimate the financial impact on the NHS but this does not include a consideration of other organisations outside of the health and care who were also impacted. The DHSC report is available at the following link: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747464/securing-cyber-resilience-in-health-and-care-september-2018-update.pdf.

Since the 2017 WannaCry cyber incident, a number of steps have been taken to sharpen incident response plans across the NHS, providing new and mandatory training on cyber security to all NHS personnel and increasing investment in local infrastructure to develop a more robust cyber security posture.