The global ransomware event of the last few days, called WCry, WannaCry or WannaCrypt, underscores the potentially widespread impact of a single cyber vulnerability. There are a number of ways that the aggregation of cyber risk can manifest itself in the insurance market, but perhaps this is the “cyber hurricane” that cyber insurers have been worrying about?
Well, yes and no. It’s certainly highlighted the speed at which a cyber attack can propagate itself, but will it actually be that expensive for the insurance market? We probably won’t ever know the total cost of the incident, but even a reasonable estimate will be difficult. The components of financial impact to infected organisations will include elements of incident response (internal and external), ransoms paid, increased cost of working or attempting to work while the systems were impacted, lost income due to the interruptions caused by the incident (everything from ATM fees to the cost of stopping production lines), and the potential for lawsuits or regulatory investigations that may be yet to come. The less quantifiable harms from the incident include patients waiting indefinitely to be released or treated in hospitals as test and x-ray results were unavailable.
When contemplating cost of the incident and insurance, issues will include incident response handled internally vs. externally (is the overtime of having your IT staff work 24 hours covered?), betterment (if you failed to patch and now must do so, is the cost betterment?), and which policy should respond (do you have elements of cyber extortion cover in your kidnap and ransom (K&R) and have you purchased a cyber insurance policy yet?). A properly constructed K&R policy will provide your organisation cover for the cost of dealing with a cyber-triggered extortion demand (including paying the ransom and related expert crisis management).
The largest component of financial loss from this incident, however, is likely to be the resulting business interruption arising from the incident, something that K&R insurers currently cover on a ground up basis. We have noted that, over the past 18 months, K&R insurers have increasingly realised that this leaves them heavily exposed to a systemic cyber business interruption loss. Given that fact and the scope of this incident, it will be telling to see how the market responds. Buyers currently benefit from the way the K&R market provides this element of coverage with no deductibles and unlimited response expense outside the policy aggregate. While we believe the cyber market can and should address these exposures, it’s critically important that the insurance market as a whole behaves responsibly and buyers aren’t left without protection.
This incident is politically fraught for a number of reasons, in this unique case, the ransomware perpetrators incorporated vulnerabilities called ETERNALBLUE, stolen from the USA National Security Agency (NSA) by a cyber crime group known as the Shadow Brokers. However, Microsoft patched the vulnerability on 14 March 2017, prior to the Shadow Brokers leak which included this and other vulnerabilities stolen from the NSA.
Saying that companies should “just patch” and avoid this sort of incident is perhaps overly simplistic. There are myriad reasons, particularly industries reliant on legacy systems and internally developed software, that simply applying a patch isn’t feasible. However this underlines the importance of taking mitigating steps when a patch can’t be applied, for example in this case disabling the feature where the vulnerability lies.
Companies with cyber insurance
If you’ve been affected by the incident and you have cyber insurance and/or K&R insurance, report it immediately. If your renewal is imminent, be prepared for insurers to focus in greater detail on your patching process, any remaining instances of Windows XP (not directly related but likely to come up in any case), and if you currently have any systems with this SMB vulnerability. Run this scenario through your existing insurance portfolio including your cyber insurance:
- Does the business interruption coverage trigger if you’ve voluntarily shut down your systems to prevent a known?
- Do you know who to call to assist with a ransomware incident?
- Is there coverage with a lower deductible under other insurance policies like K&R?
Make sure your K&R and cyber insurance policies are properly coordinated to give you maximum coverage. K&R insurance can be structured as a deductible in-fill to a more comprehensive cyber program, so make sure that your cyber deductible will be eroded by the K&R.
Companies without cyber insurance
First, if your company has been impacted by the ransomware, check your K&R policy as well as other insurance policies to see if you already have slices of coverage. If there’s a possibility, best practice would be to report it immediately. K&R policies will provide help with incident response, and if you don’t have one in place now is a good time to consider – it’s a relatively painless process. Second, buy cyber insurance. It’s really time.
Considerations for insurers
There are a number of considerations for insurers in cyber and traditional lines, and many are deep in the process of understanding their embedded cyber risk in non-cyber lines of business. Incidents like this one do underline the potential for cyber extensions in other lines of business to be widely triggered.
It’s important to ask the right questions, and while asking clients to describe how they deploy patches isn’t new, this new incident will most certainly trigger more discussion. The answers may not always be straightforward, and our hope is that insurers will not take a reactive position and simply decline risks who have exceptions to their patch deployment policy or worse, attempt to reintroduce restrictive “failure to patch” exclusions.