Cyber insurance in spotlight after WannaCry ransomware attacksReprints
The “WannaCry” malware that spread rapidly through some 300,000 computers worldwide earlier this month could further boost interest in cyber insurance.
But the crisis is expected to lead to relatively few insurance claims, in part because of the relatively low amount of ransomware demanded by the criminals, which would fall below retention levels, as well as cyber insurance’s low penetration rate in areas where the malware was particularly prevalent.
The widespread nature of the incident, however, may lead insurers to underwrite their cyber risks more carefully and has created some insurer concern about risk aggregation, say experts. Malware victims had failed to install patches that would have addressed the software vulnerability that permitted the malware to be effective.
No huge payday for hackers
WannaCry has apparently been a financial bust for the still-unknown criminals behind it. According to reports, despite the malware’s wide distribution, only about $95,000 in bitcoins has been paid to redeem the encryption keys, which cost $600 as of last Friday.
Many experts have recommended not paying the ransom, in part because there was no assurance businesses would receive the encryption key that would release their data. It was not immediately clear how many who had paid the ransom received their key.
While it significantly impacted computers in Europe, Asia, and Africa, WannaCry was not particularly prevalent in the United States because a security blogger in the United Kingdom identified an effective kill switch for the virus, according to reports.
Even in the United States, though, where cyber insurance is relatively popular, penetration rates are only about 32%, according to a survey issued last week by the Washington-based Council of Insurance Agents, and Brokers.
“Luckily, this didn’t turn out to be terribly significant from an insurance standpoint,” said Tim Francis, Hartford, Connecticut-based enterprise cyber lead for Travelers Cos. Inc.
Good data security is key
Christina Terplan, a partner with Clyde & Co L.L.P. in San Francisco, said there would be two separate coverages under most cyber insurance policies: business interruption and the cost to restore data.
Katherine E. Armstrong, counsel with Drinker Biddle & Reath L.L.P. in Washington, said it would have been difficult for entities that were impacted by the ransomware to get coverage, because to do so, “you have to have good data security.”
Firms with “robust patching and updated protocols would likely not be impacted by this malware,” which “went after outdated, unpatched operating systems,” she said.
Every incident over the past two or three years has led to an uptick in companies asking questions as to whether they should purchase the coverage and an increase in buyers, said Linda D. Kornfeld, a partner at Kasowitz Benson Torres & Friedman L.L.P. in Los Angeles.
However, “I don’t know whether (WannaCry) will increase demand,” said Ms. Armstrong. “I think it might more motivate companies to protect themselves by updating patches and their operating systems,” although cyber insurance “might be part of that kind of effort.”
Brian D. Hall, a partner with Porter, Wright, Morris, & Arthur L.L.P. in Columbus, Ohio said given the relatively low cost of the ransomware, “some may be willing to take the risk and take the preventive steps they need to take to try to limit the risk of ransomware being installed on their systems.”
WannaCry, meanwhile, has increased businesses’ awareness of the need for up-to-date cyber security. Companies are now “becoming aware of this type of risk” and realizing that when a patch becomes available, “it’s important to install it right away, and not wait a month,” said Ms. Terplan.
Insurers may look to limit exposures
Ransomware is not new, said Mr. Francis. Prudent underwriters have already “been thinking about the right way to underwrite and price it,” he said.
However, “at least some insurers will attempt to hedge against providing coverage in similar situations in the future,” said James S. Carter, counsel with Blank Rome L.L.P. in Washington.
“They may do so through sublimits or retentions, or through including other limitations or exclusions in the body of the policy.”
Risk aggregation may become more of a concern. “I know insurers with big portfolios are trying to get a better understanding of their aggregate risks across their portfolios,” said Ms. Terplan.
Kenneth K. Dort, a partner with Drinker Biddle in Chicago, said while the incident is unlikely to lead insurers to change things at the macro level, on the micro level, it will lead them to “pay more attention to the details, and being sure they have control over what their insureds are certifying” with regard to their cyber security.
Some observers say the incident may also increase interest in other types of insurance besides cyber. There have been reports of businesses turning to kidnap and ransom insurance to guard against ransomware attacks.
It may also create increased interest in directors and officers liability insurance, said Richik Sarkar, a member of law firm McGlinchey Stafford P.L.L.C. in Cleveland, pointing in particular to smaller companies, because incidents such as these “will affect the material value of the company.”