The WannaCry ransomware propelled cyber security and cyber insurance to the front news again, however this malware and the subsequent Adylkuzz attack this week may be game-changers. WannaCry is a takes advantage of a Microsoft Windows vulnerability that holds the infected computer hostage and demands that the victims pay a ransom to regain access to the files on their computer. The virus spread to over 150 countries and hundreds of thousands of computers, in thousands of companies around the world.
Ransomware is not a new phenomenon and companies have long been searching for ways to reduce their risks. Cyber insurance firms certainly gain visibility in the wake of the WannaCry damages as companies look to reduce risk. Rick Welsh, CEO of the insurance firm Sciemus, stated that “this is a seminal moment in the development of the cyber insurance market”.
The industry is believed to be worth between $25M and $4B (USD) in annual premiums, which represents a relatively small portion of the insurance market, but the cost of the premiums is expected to triple by 2020, according to CNBC.
The question arises whether most companies that were affected by the WannaCry ransomware were covered by cyber insurance. In fact, many companies outside of the United States do not have such coverage. The popularity of these policies in the United States can be explained by the mandatory data notification laws that have been in place for years. However, with the upcoming General Data Protection Regulation in Europe and the expected coming into force of the mandatory notification requirement of the Canadian’s Personal Information Protection and Electronic Documents Act (PIPEDA), this type of insurance is likely to gain further popularity in these regions.
Despite the increasing popularity of cyber insurance, limits to coverage are critical to insurance companies managing risk. For instance, companies that failed to update their Microsoft Windows software with the latest patches or used pirated software were likely not covered. Therefore, cyber insurance will never be able to replace due diligence or information security protection controls. Organizations with controls in place and that follow NIST or ISO security frameworks are even subject to lower premiums.
Cyber insurance policies are quite strict as to the types of incidents or circumstances that are covered. A law firm in Rhode Island recently sued its insurer for refusing to pay for the loss of business that resulted from a ransomware attack. A lawyer opened an attachment which contained a malware, leading to the encryption and holding hostage of all the firm’s documents.
The law firm eventually paid $25,000 USD in ransom but evaluated the loss of business at $700,000 USD since it could not bill hours during the crisis. The insurer refused to pay as the lost business income policy only applies to physical losses or damages to property at the business premises.
This statement is the subject of the conflict, with the law firm affirming that ransomware led to physical losses. According to The Merkle, a leading online news and research organization focused on the Cyber research and information, there are “lots of gray areas when it comes to cyber insurance”.
If you decide to get cyber insurance, make sure to choose your cyber insurance parameters wisely. In the case of ransomware, cyber insurance might definitely be worth the premiums as it could cover the costs of the investigation, the ransomware, the notification, the PR agency to mitigate reputational damages, and credit monitoring and lawsuits resulting from any breach in sensitive data or service level expectations.
While cyber insurance can never substitute for leading edge IT security defense, it will mitigate risks in an increasingly risky cyber treat landscape. Cyber experts estimate that the next global cyber crisis is not so far down the road – will you be ready?