The WanaCry ransomworm has caused insurance companies really to take notice. Customers have started to file damage claims, however it is a bit early to see the insurance industry’s full exposure to this recent malware pandemic. For insurers, the main threat regarding WanaCry is not about any one individual company that gets infected but rather as an aggregated risk. The estimated total financial damage caused by WanaCry in just the initial 4 days would exceed a billion dollars, looking at the massive downtime caused for large organizations worldwide. Cyber-security policies are a fast-growing new insurance market, pundits predict 5 billion in premiums by 2020. Organizations buy policies so that in the event of a data breach or ransomware infection they can file a claim and get help to recover costs and remediate damage.
But… How About Pre-existing Conditions
“The Wanna-Cry worm is one of the most significant and virulent forms of malware ever seen and therefore the insurance industry is taking notice,” Pascal Millaire, vice-president and general manager for cyber-insurance at Symantec, told eWEEK. “Insurers underwriting cyber-risk can handle ten loses or a hundred loses, but when there is a major systemic event that can lead to thousands or tens of thousands of simultaneous claims,”Millaire said. “At that point there are solvency issues that can threaten the future of an insurer.” So insurers try to limit their risk, similar to medical insurance where the issue of pre-existing conditions has seen a lot of controversy.
Three Things to Be Aware of in the Fine Print
There are three issues you need to be aware of when you buy a cyber security policy, or when you review your existing policy:
1. Is a known vulnerability that you have not patched a pre-existing condition?
2. Should an un-patched system be covered under a clause for errors and omissions?
3. When an employee falls for a phishing attack and infects the network that way, is that covered?
“Different policies will respond in different ways on what is covered and what is not,” Millaire said. This means you need to have your legal department look into this carefully. As an exception, WanaCry exploited a patched Microsoft vulnerability and spread like a worm, as opposed to 95% of ransomware that spreads through email and social engineering. Cyber insurance normally does not pay out when employee error was the cause of the infection. Looking specifically at WanaCry, Millaire said that it’s to early to tell at this point if WanaCry will have an impact on cyber-insurance premiums in the months ahead. I strongly suggest though that if your organization now is looking into buying cyber-insurance, you get quotes from several sources and very carefully analyze what is covered in which scenario. The first step is to call us for an assessment – we may be able to point you in the right direction.