Insurers say that companies outside of the United States could be facing potentially millions of dollars of losses because there has been relatively little take-up of cyber insurance as they may not have cover for a recent computer-system attack.
Stopping car factories, hospitals, shops and schools, amid fears it could wreck fresh havoc on Monday when employees return to work, a massive ransomware worm caused damage across the globe over the weekend.
more than 200,000 computers in more than 150 countries had been locked up by the spread of the virus dubbed WannaCry – “ransomware”, cybersecurity experts said. The attack had slowed but the respite might only be brief.
With companies in Europe, including Russia, and Asia particularly vulnerable, the overall cost of getting businesses going again could run into the billions of dollars.
According to Kevin Kalinich, global head of Aon Plc’s cyber risk practice, nearly nine out 10 cyber insurance policies in the world are in the United States. The annual premium market stands at $2.5-$3 billion.
Bob Parisi, U.S. cyber product leader for insurance broker Marsh, says that the biggest reason for the larger penetration in the United States “is that the U.S. has been living with state breach notification laws for the past 10 years.”
To compensate for damage from incidents they were required to report, the greater transparency created an incentive for U.S. companies to get insurance. the same impact in Europe is expected to be had from an upcoming European Union directive.
Kalinich said that business interruption costs that far exceed a ransomware payment can be expected to be incurred by companies that were not prepared for WannaCry.
“If you’re a hospital that turned away patients, if you’re a global delivery company that can’t send package, or a telecom company in Spain, Russia or China, the financial statement impact from the business interruption is much larger than the $300 ransomware,” he said.
Britain’s National Health Service, French car manufacturer Renault, and Spain’s Telefonica were among the organizations hit by the attacks, which lock up computer systems until the victims pay a ransom.
The company had insurance to cover the attacks but it was too soon to estimate the economic impact, sources close to Telefonica said.
The total economic costs from interruption to business at $4 billion and the average individual ransom cost from Friday’s attacks at $300, estimated West Coast cyber risk modeling firm Cyence.
More modest total losses were estimated by the U.S. Cyber Consequences Unit, a non-profit research institute that advises governments and businesses on the costs of cyber attacks. The group forecast that rather than exceeding $1 billion, they were likely to range in the hundreds of millions.
Insurers say that ransomware attacks have spiked in the past 18 months and a typical cyber insurance policy will protect companies against such extortions. According to Parisi, it would cover the investigation costs and also pay the ransom.
However, are caveats. Since many cyber policies exclude coverage in such an instance, companies that did not download a Microsoft patch issued in March to protect users from vulnerabilities may be out of luck.
Arranging credit monitoring for those affected, as well as potential legal suits, hiring a PR agency to address reputational damage and the cost of notifying those whose data has been breached are covered typically by cyber insurance policies.
Impact on insurance premiums, however, may be muted with strong competition and uncertainty as to how many of the losses over the weekend were insured.
Kalinich said that as well as how they word policies and exclusions, insurers are likely to more carefully scrutinize risks they take on.
“They will want to pick the companies that are most prepared,” Kalinich said. Other firms might be eligible for coverage, but more exclusions may apply, he said.
“There are really important intricacies. You could end up losing a couple million dollars.”
(Adapted from Reuters)