The global WannaCry attack on businesses, hospitals and higher education institutions served as a wake-up call that all institutions are vulnerable to ransomware and a reminder to take steps to mitigate that risk.
The insurance industry has been on the front lines of ransomware for some time. Ransomware attacks handled by specialist insurer Beazley Group more than quadrupled in 2016, and Beazley projects these incidents will double in 2017. While insurers have been able to track and identify steady increases in ransomware attacks year by year, it is unclear how far a particular attack might spread or how many organizations it could victimize.
WannaCry surprised many observers by taking ransomware to a global scale, spreading across countries and businesses, blocking and compromising networks. In this case, hackers exploited a flaw in Microsoft’s Windows operating system that overwhelmingly affected those who had not updated their systems through a patch Microsoft released previously. With so many businesses, hospitals and institutions exposed, what does this mean for insurers?
As of now, this event has not generated a large volume of claims. Some incidents may not have been reported, and some might just be slow to file claims. When claims do come in, here are the coverages that will come into play:
1. Extortion cover is expected for the cost of the decryption key. Though often a minor amount to ensure most people can pay, there have been isolated cases of higher value. In the WannaCry case, hackers asked for $300 via Bitcoin transaction, a ransom demand that doubled three days after the attack was first launched.
2. Data restoration cover. Once an insured has secured a decryption key, it is recommended practice to have a computer forensic provider test the key to scan to ensure no further malware will infect the network. The key, after all, is supplied by hackers, so assuming it would be clean could lead to more issues. However, hackers are in the business to make money, and they know victims will only pay if they know they’ll be able to regain access to their systems. Regardless, restoration requires expert technical support, which comes at a cost.
3. Business interruption cover should be considered for as well, as hackers disproportionately target operating businesses in their attacks. From the time an attack is launched to the time the data is fully restored — which is by no means guaranteed — a business could incur significant interruption losses. Once the decryption key is received, it is not a matter of turning a key and all of the data popping back up. It could turn out to be a longer process, one that can take anywhere from a few days to a week to restore the data and get a business back on its feet.
4. Data breach coverage. Ransomware claims are further complicated when they trigger breach notification requirements, depending on local and federal laws where the breach occurred. With local privacy and breach notification laws varying by country and even by state, the event could be considered a breach if there is a concern that personally identifiable information was exposed. This is especially a concern in the United States with the Health Insurance Portability and Accountability Act, considering the extensive targeting of medical facilities. US healthcare facilities are required to treat such attacks as if they are data breaches. Also, state regulations differ, compounding the situation even further, throwing on layers to evaluate these attacks through different lenses. What a global attack like WannaCry does is bring about regulatory questions and differences from country to country, demonstrating how the response to the same attack could look quite different depending on where it happens.
For insurers, the international scope of WannaCry also invites questions around aggregation. With the attack permeating public attention, more insurers are discussing the cumulative effect of attack on their portfolios. WannaCry illustrates the aggregation problem, as it crossed sectors and geographic regions. The attack was indiscriminate and did not just affect one company or sector, highlighting the vulnerability of various business spheres and geographic regions. We expect this attack to create more demand from foreign and midsize businesses for cyber insurance.
Insurers should approach ransomware with the notion that cyber exposure is constantly evolving, which means their coverages have to shift along with it. Insurers should make sure they have diversification in coverage and are modeling these types of exposures to anticipate the scale of potential attacks. With more sophisticated and informed modeling, and more in-depth cyber assessments, insurers will have a better understanding of their clients’ environments and cyber defenses, including patching.
Although more education and training are needed on spear phishing and safely managing emails, incidents like WannaCry have built up awareness in corporate cultures. These attacks will only reinforce the vast potential risks of ransomware and the nature of constantly evolving cyber attacks.