May 16, 2017 by Canadian Underwriter
The global WannaCry ransomware attack is “arguably the first ever cyber-catastrophe,” an expert in cyber risk management from RMS said on Tuesday.
Tom Harvey said in a statement that the cyberattack “clearly demonstrates the systemic nature of the risk, with a single vulnerability resulting in hundreds of thousands of infected machines across over 150 countries.”
In the attack, hackers demanded payment from victims in the digital currency Bitcoin to regain access to their encrypted computers. The malware has scrambled data at hospitals, factories, government agencies, banks and other businesses since Friday, the Associated Press reported on Tuesday. Countries/territories affected included China, the United Kingdom, Japan, Russia, Saudi Arabia and Taiwan, among others. The Canadian Press reported, also on Tuesday, that Quebec’s Université de Montreal was monitoring its IT network after about 120 of the school’s computers were allegedly infected with the WannaCry malware.
Harvey said that while “unprecedented,” the attack was not unexpected. “RMS modelling scenarios show this kind of hacking campaign as just one of numerous types of extreme but plausible cyber-catastrophes,” he said in the statement.
While it is still too early to determine the cost for the insurance industry, 74% of cyber policies on the market offer cyber extortion, a loss that is still evolving, Harvey said. As of the time of the statement, only a “relatively modest US$63,000 has been paid in ransoms so far – but there are still several days left on the clock. However, ransom payments are only a small proportion of the total losses insurers face.”
According to the Associated Press, the malware paralyzed computers running mostly older versions of Microsoft Windows. It displayed a message demanding US$300 to US$600 worth of Bitcoins, saying that “failure to pay would leave the data scrambled and likely beyond repair.”
Harvey said that firms with cyber policies will likely have triggered coverage for incident response, data and software loss, and even regulatory response costs. “And that’s before business interruption is counted,” he said. “With several large manufacturers, hospitals and telecom providers disclosing downtime, these losses will be significant.”
But WannaCry is not just an issue for cyber insurers, Harvey stressed. “With such a soft property insurance market, several insurers have offered non-damage BI coverage which may trigger. And insurers with Kidnap & Ransom books will want to look closely at their policies wordings to see whether they are exposed.”
Harvey noted that the WannaCry malware utilized a vulnerability that was patched by Microsoft nearly 60 days ago, providing many companies the opportunity to “plug the hole” before being attacked. In addition, the presence of a kill switch within the software allowed security experts to contain the spread to some extent, although there have been reports of new variants without the kill switch.
“It is not a true zero-day,” Harvey concluded. “Had it been, the scale of this event – and potential losses – would have been many orders of magnitude higher.”