Real winners of the WannaCry ransomware attack? Insurance companies
INSURANCE companies are beginning to push out the boat on a new kind of insurance that protects against cybercrime, in response to the gamut of attacks that have occurred in the last two decades.
If there’s anything that has become starkly clear in the days after the devastating ransomware attack that pulled the rug from underneath hundreds of thousands of computers and organizations, it’s that the world is woefully underprepared for the impending onslaught of cybercrime that will characterize the 21st century.
— Symantec AR (@SymantecAR) May 16, 2017
Since the WannaCry ransomware incident began on Friday, companies have been scrambling to assess losses incurred. Cyber risk firm Cyence chief technology officer George Ng, estimates companies globally lost a total of US$8 billion as a result of the ransomware attack, according to The Wall Street Journal.
Ng’s company calculated that value by considering the average rate of computer-system-backup versus the companies’ business models. A company could take anywhere from one to 12 hours to resume normal operations. However, that number could potentially have been higher, especially if the hackers had destroyed important documents or entire operations’ files. Analysts are still cautious about estimating the true cost of the weekend’s havoc though.
“I don’t think we’ve necessarily seen the period at the end of the sentence of this particular ransomware strain,” Aon Risk Solutions senior vice-president Stephanie Snyder told WSJ.
What is startlingly evident though is the large financial repercussions of cyberattacks as well as the lack of preparedness of companies when faced with the dangers of the digital age. According to Reuters, many insurers are already commenting on the lack of cybercrime insurance entities outside of the United States. Statistically, the numbers do not favor non-US entities – nine out of 10 insurance policies in the world are in the US, Aon Plc’s Kevin Kalinich said to Reuters.
Having only 10 percent of the world covered with cyber insurance means many foreign entities are vulnerable to any future attacks, with many already bracing for newer, stronger strains of the malware to emerge, reports Vox. Should the new strains prove to be harder to detect and stop, the damage it could do is largely untold.
“A hurricane with a probability of happening once in 25 years could cost us as much as US$150 million and the whole industry about US$30 billion,” Hiscox CEO Bronek Masojada said to Bloomberg.
“Due to the lack of history, the question with cyber is whether a US$30 billion loss happens once in 25 years or once in 100 years. The most important question is whether we will be alive after it.”
The biggest reason for the larger penetration in the US, says Bob Parisi, US cyber product leader for insurance broker Marsh, “is that the US has been living with state breach notification laws for the past 10 years.”
Despite the fact cybersecurity has become a “boardroom issue”, many companies have not taken to heart the warnings by experts to equip themselves with up-to-date security and software and ignored suggestions to begin buying cyber insurance.
US communications company Verizon reported ransomware attacks had increased in frequency by 50 percent since 2016. They say criminals are not picky as to whether they attack individuals or vulnerable companies and organizations. Governments have also become popular targets, as evident by recent high-profile hackings.
But probably the largest concern many fail to understand is the new global reach of hackers. Our world has become ever more interconnected, and more and more of our systems become integrated with one another. An attack on a vulnerable government in Southeast Asia could have massive repercussions on companies in other parts of the globe. Asia continues to rank as a hotbed or cybersecurity vulnerability, with Asia Pacific as its epicenter.
Insurance industry stands to win big
— OECD (@OECD) May 13, 2017
Insurers have caught wind of the new breed of insurance coverage that could potentially save the laboring industry, which is struggling to keep growth margins steady amidst a stagnating global market and the pressure being exerted on prices due to the low rate of catastrophe claims. Last year, the industry saw its income flatline and prospects for recovery are low, according to German reinsurance company Munich Re.
Cyber insurance could prove wildly lucrative for the industry; Munich Re’s plans currently are valued at around US$3.4 billion, with the expectation premiums could rise to between US$8.5 billion and US$10 billion by 2020. On the other hand, Allianz’s cyber insurance saw a 28 percent growth margin, said Hartmut Mai, Allianz’s chief underwriting officer for corporate lines, to Bloomberg.
Upcoming European Union rules on companies’ cyber regulation responsibilities could further push up demand. The EU has put into place rules that will require companies to report cyber attacks to regulators from 2018 onwards.
According to Parisi, cyber insurance will be able to protect companies against extortion tactics, such as the ones implemented by the WannaCry hackers, by providing the funds necessary to cover ransom costs, investigations, PR needs or even legal suits. Companies could stand to save millions of dollars in spending to recoup lost data, or even just get their systems back up and running. Though most policies will cover breaches of up to US$50 million, more expensive policies will be able to cover the losses ranging from US$500-600 million.
Much like health insurance though, most insurance companies will not cover companies who run pirated editions of software, or have failed to keep their software up to date. Insurers are likely to scrutinize risks they take on as well as how they word policies and exclusions, Kalinich said to Reuters.
— John A. Wheeler (@JohnAWheeler) May 13, 2017
“They will want to pick the companies that are most prepared,” Kalinich said. The high rate of occurrence of cybercrime today might turn off many insurers, who have to contend with strong competition and uncertainty borne out of a lack of technological infrastructure to quickly identify or prevent these attacks from happening in the first place.
That being said, though the cyber insurance business could cost insurance companies a pretty penny, it’s expected demand will only continue to go up and up, especially as the world continues to reel after the WannaCry attacks.
Beazley head of cyber insurance Paul Bantick told Bloomberg the company was already “starting to see shoots of demand in Europe, Latin America and Asia”, with an emphasis on Europe.
Additional reporting by Reuters.