Global ransomware attacks such as WannaCry and the more recent Petya are raising troubling questions regarding cyber risk aggregation, not only for organizations across all industries and geographic borders but also for their insurers.
In mid-June, a number of European and American businesses including banks and power companies and even a large law firm reported a widespread ransomware attack that exploited a similar Microsoft Windows vulnerability WannaCry exploited earlier in the year. These broad and indiscriminate attacks are adding complexity to cyber claims and urgency to cyber risk management.
The types of claims insurers are likely to see from these and other ransomware attacks will depend upon the insurance issued. Cyber insurers with affected policyholders could see first-party expenses associated with retaining forensic experts to assist in determining whether the entity can decline to pay the ransom because there is adequate backup of the encrypted data. Depending upon the policy, there could be coverage for the ransomware payment, if the entity determines it will pay the ransom. In addition, there may be other first-party expenses associated with privacy counsel to guide the investigation and assist with the company’s decisions regarding how to handle the ransomware attack, including liaising with law enforcement.
One of the worrisome elements of ransomware attacks is the seemingly inexpensive ransom demand, which leads some businesses to pay it, hoping this will make the problem go away. A payment of $300 in bitcoin, the amount demanded in the recent Petya attack, obviously is small compared to the financial resources of a large organization. The danger is that such payments will encourage further attacks and also these ransomware attacks may not be limited to simply encrypting data; some attackers are using ransomware to obscure other malicious activity. Impacted companies need to be vigilant about this possibility and ensure thorough investigation.
If data is accessed or exfiltrated, victim organizations could face notification obligations to individuals and/or regulators. Best practices dictate organizations should seek the opinion of counsel regarding notification requirements. In addition, there are likely to be first-party claims for business interruption if the company’s systems were down or compromised for a material length of time, impacting normal business transactions; this is where we expect to see the majority of the claims arising from the Petya incident. Finally, if notifications are required, there is the possibility of regulatory investigations or third-party claims by customers or clients of the company if the attack prevented the company from delivering products or services.
Cyber insurance growth likely
Although many non-cyber traditional insurers have contemplated cyber exclusions, including ISO exclusions, specific cyber exclusions for the most part have not yet become industry standard in many classes of business. The recent increase in widespread attacks, affecting multiple industries and geographic locations, may lead to an environment where non-cyber insurers increasingly add exclusions to make certain to avoid possible unintended exposures, frequently referenced as “silent cyber” exposures. In any event, there can be little doubt that the increase in these types of widespread, indiscriminate attacks will fuel growth in the already explosive cyber insurance market, where insurers continue to develop the products to best address the emerging risks presented. Accompanied by increasing regulation, such as GDPR in the EU, these high profile widespread attacks are likely to act as a catalyst for the further development of cyber insurance products.
As with any widespread risk that potentially can lead to aggregated losses across multiple industries and multiple lines of insurance, the recent global ransomware attacks present devastating loss potential for insurers. In an increasingly connected world, it is not difficult to imagine realistic scenarios under which attacks on interconnected systems, such as infrastructure, could have a catastrophic knock-on effect across many companies and geographic areas at the same time.
Reinsurers may have aggregated exposure to the “silent cyber” risks facing direct non-cyber specific insurers, and many reinsurance wordings still do not address cyber exposures. Certainly, aggregation and clash potentials potentially arising from systemic, catastrophic cyber attacks are a concern to reinsurers. At the same time, the current climate of evolving and increasing cyber risk presents an excellent opportunity for reinsurers, as primary insurers and policyholders look for greater security and more stable risk transfer platforms.