Last year organizations around the world were paralyzed by two destructive cyber attacks, WannaCry and NotPetya. One year on, Cyber Decoder looks at how the two attacks have shaped our understanding of cyber risk and driven changes in cyber insurance purchasing.
In May 2017, the WannaCry ransomware rapidly spread to over 230,000 computers in 150 countries, causing an estimated USD 4 billion in financial losses. One month later, the NotPetya attack hit the computer systems of companies and governmental entities in 65 countries causing huge disruption to supply chains. Catastrophe modelling firm RMS estimates that NotPetya caused losses of around USD 2.5 billion to USD 3 billion, although losses would have doubled had it not been for the early discovery of a kill switch.
The two attacks were the first real global cyber attacks to impact multiple organizations around the world. They were also notable for the financial and reputational damage they inflicted on a number of multinational companies. Pharmaceutical company Merck, for example, said that NotPetya cost it USD 135 million in lost sales and another USD 175 million in additional costs, while the malware attack cost logistics company FedEx and shipping company AP Moller-Maersk around USD 300 million apiece.
Some cyber security researchers contend that last year’s global malware attacks signify a fundamental change in the cyber landscape. Hackers are becoming more sophisticated and ambitious, using exploits and tools developed by nation states to launch large-scale attacks. The incidents are also a reminder that companies face a significant threat from unpredictable global cyber incidents, not just targeted attacks that can be anticipated by threat vector analysis.
WannaCry and NotPetya used virulent forms of self-replicating code based on EternalBlue, an exploit developed by the US National Security Agency (NSA), which was leaked and then published online by a hacker group called Shadow Brokers. In an added twist, the US said North Korea was responsible for WannaCry, while Russia is believed to be behind NotPetya.
Variants of EternalBlue continue to cause problems a year on from the initial attacks. In March this year, US media reported that aircraft manufacturer Boeing had become the latest victim of WannaCry, albeit a limited intrusion by the ransomware. EternalBlue has since been used to power crypto-mining malware and a banking Trojan, while the SamSam ransomware attack against the city of Atlanta in March 2018 relied on DoublePulsar – another NSA-developed exploit.
Cyber security firm Avast said it has detected and blocked more than 176 million WannaCry attacks across 217 countries. It blocked 54 million WannaCry attacks in March 2018 alone. Despite the release of a patch by Microsoft, two months before the WannaCry attack, EternalBlue continues to be a threat. According to Avast, almost one third (29%) of Windows-based PCs globally may still be running with the vulnerability in place.
WannaCry and NotPetya generated a number of large claims for the insurance industry. For example, Merck’s cyber insurers are set to pay out USD 275 million for the NotPetya attack. However, many companies hit by the malware were uninsured. The likes of FedEx and Maersk did not have standalone cyber insurance at the time of the NotPetya attack, but have since stated that they are looking at possible cyber insurance solutions.
Even before the malware attacks, demand for cyber insurance was increasing. However, WannaCry and NotPetya have encouraged organizations to look more deeply at their cyber exposures and seek more sophisticated risk transfer solutions. Following the global malware attacks, a wider range of sectors have shown more interest in transferring cyber risk to the insurance market and have begun to engage more meaningfully with their advisers and underwriters.
The WannaCry and NotPetya attacks have also led to changes in the kidnap and ransom market, as well as causing a shift towards standalone cyber. The K&R market offers cyber extortion cover, but following last year’s malware attacks, K&R insurers have limited the cover and limits they are prepared to offer. Some K&R insurers have introduced clear cyber exclusions, while one major insurer wrote to brokers in January this year clarifying the cyber extortion cover offered under its K&R policy.
For more information on cyber insurance, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.