Global ransomware attack hits cyber insurers, but losses limitedReprints
The WannaCry ransomware attack, which has reportedly infected hundreds of thousands of computers globally, is triggering claims on cyber policies worldwide, but it is not expected to lead to a major market loss, cyber insurance experts say.
While many cyber policies would cover losses from WannaCry and related attacks and cyber coverage is growing more popular throughout the world, the United States is by far the biggest market for cyber insurance — but most of the problems with WannaCry have been reported in Europe and Asia, they say.
However, the huge scale of the ransomware incident has already lead to increased interest in cyber coverage internationally, brokers report.
The massive ransomware attack began late last week, with reports of numerous organizations in Europe, including Britain’s National Health Service, being infected. Over the weekend and on Monday, the attack, which in most cases demanded a payment of $300 to restore encrypted files, spread to Asia.
“As an insured event, it’s already having a significant impact on many of our insureds,” said Tom Reagan, cyber practice leader within Marsh L.L.C.’s financial and professional products practice, or FINPRO. “The underlying cyber extortion is very small, under the retention of all but the smallest companies, but the downstream consequences for firms — the loss of the data and/or the business interruption — is very significant.”
Coverage for extortion, business interruption and the cost of outside experts is included under broad cyber policies that many organizations buy, Mr. Reagan said.
Ben Beeson, Washington-based cyber risk practice leader at Lockton Cos. L.L.C., said most cyber insurers offer cyber extortion coverage as part of their policies, although policyholders must elect the coverage and pay an additional premium.
“The coverage has been around almost since day one at the end of the 1990s, and these areas of cyber risk are starting to become more prominent, whereas it was liability around handling personal data that got people’s attention,” he said.
Business interruption, or network interruption, coverage would also respond to the attack, but such coverage usually has a 12-hour time deductible, Mr. Beeson said. Losses from WannaCry will also be limited as the ransomware is largely hitting organizations in Europe and Asia where fewer companies buy cyber insurance, although more companies outside the U.S. are buying the coverage, he said.
Demand in Europe and Asia is growing, said Anthony Dagostino, global head of cyber for Willis Towers Watson P.L.C. in New York.
“The U.S. is still the biggest purchaser, driven by the regulations and the legal environment, but we see a lot of buyers in the U.K. and a huge demand increase in Continental Europe, and there’s been a spike in demand in Asia,” he said.
And the attack will lead to more non-U.S. companies buying cyber coverage, said Mr. Reagan of Marsh. “We’ve already started getting the phone calls,” he said.
The business interruption and extortion coverage options in cyber policies are increasingly being taken up by policyholders as the incidence of ransomware increase, said Brian J. Dusek, an attorney at McCullough Campbell & Lane L.L.P. in Chicago who specializes in cyber risk and professional liability coverage.
One area that may lead to coverage disputes would be the ease with which the problem could have been avoided, he said.
According to reports, the ransomware targeted older versions of the Windows operating system and a “patch” was available in March to fix the vulnerability exploited by WannaCry.
“It’s not in every policy, but there’s often language in the policies saying that the policyholder has to keep reasonable security practices in place, and the patch has been out since March,” Mr. Dusek said.
While it’s unclear what the level of insurance losses from the WannaCry ransomware will be, the attack shows the changing aggregation risk that insurers face, where one incident leads to losses from multiple policyholders, said Pascal Millaire, vice president and general manager of cyber insurance at Symantec Corp., the San Francisco-based technology security company.
“This is another illustration of the fact that insurance aggregation events are no longer geographically constrained,” he said.
Insurers need to stress-test their cyber exposures against aggregation scenarios, Mr. Millaire said.
According to Symantec data, there were 463,841 ransomware attacks in 2016, up from 340,665 attacks in 2015, he said.