WannaCry: Lessons for insurance

10 July 2017

The global ransomware attack in May is not expected to result in a material loss for the cyber insurance market. But it could prompt underwriters to review cyber related business interruption cover offered under traditional insurance policies.

The global ransomware event that began on May 12 was a wakeup call to many, highlighting the potentially widespread impact of a single cyber vulnerability. Known as WannaCry, WCryor or WannaCrypt – the ransomware is thought to have affected several hundred thousand computers in over 150 countries.

Counting the cost

Estimating the total cost of the incident is difficult, although some media reports have put the bill at around USD 4 billion. But while ransom attacks are insurable – and insurers have been notified of potential claims - cyber insurers are unlikely to foot much of the bill for WannaCry.

Cyber insurance purchasing outside the US is still relatively slow. And where companies have purchased cyber insurance, losses from WannaCry will probably fall within deductibles.

Ransom demands were also small – total ransoms paid to the cyber criminals is thought to be under USD 100,000. And business interruption does not appear to have been prolonged.

While companies took services offline to stem the spread of the attack or to carry out updates, business interruption was not material. For example, WannaCry caused Renault-Nissan to temporarily shut down systems at five plants, but the motor manufacturer was quickly able to make up for lost production.

But companies should consider how their insurance policies would react to cyber incident like WannaCry. For example, will business interruption triggered under existing policies cover a voluntarily shutdown of IT systems.

Market Reaction

With losses contained, the market is showing no signs of reacting to WannaCry with increased rates or changes to terms and conditions. But the incident may have implications for other lines of insurance. The WannaCry underlined the potential for cyber extensions in the kidnap and ransom insurance market to be widely triggered.

The kidnap and ransom (K&R) market offers ground up cover for cyber extortion and the market is seeing claims from WannaCry. The incident may yet see the K&R market move to exclude business interruption for cyber extortion offered under K&R policies.

WannaCry is also likely to trigger more discussion around patches, and insurers could well ask more questions around updates. The answers may not always be straightforward, but we expect insurers will not take a reactive position and simply decline risks that have exceptions to their patch deployment policy or worse, attempt to reintroduce restrictive “failure to patch” exclusions.

Life after WannaCry

Speculation on WannaCry’s origins suggests it may have been an unusual example of a state-sponsored ransomware attack.

In June, UK intelligence services and the National Security Agency (NSA) concluded that the global ransomware attack in May was carried out by individuals linked to North Korea. A number of security firms say there are similarities in the code used by WannaCry and that previously linked the Lazarus attacks.

Patch Act

Following the WannaCry attack, US legislators have proposed a bill that would increase transparency for cyber security vulnerabilities. The Protecting our Ability To Counter Hacking (PATCH) Act would require government agencies to make zero-day vulnerabilities known to vendors and corporations.

The WannaCry attack spread malware that used a vulnerability in unpatched Microsoft programs, which was stolen by the NSA and published by a cyber crime group called Shadow Brokers.

Download our Cyber Security Checklist (PDF) to help your organization ensure that the appropriate policies, standards and procedures are in place to identify and eliminate system vulnerabilities.

For further information please contact Martin Delaney, Senior VP, Leader, Cyber & Risk Management Services at ClientFirst@jltcanada.com