The global cyber attack caused by the virulent new strain of self-replicating ransomware known as Wanna Decryptor, WannaCry, or WCry, could be just the catalyst that the insurance and reinsurance market needs to stimulate a new approach to cyber risks, according to experts at Sciemus.
The WannaCry ransomware has impacted more than 150 countries around the globe, making it perhaps the most widespread cyber attack in history and raising questions about the ability of insurance and reinsurance markets to cover this type of systemic cyber exposure and the approach to understanding cyber exposures taken by risk modelling and underwriting companies.
Insurance, reinsurance and capital market underwriting and cyber focused data and analytics company Sciemus Cyber has a unique view on the event and believes that it highlights the need for a holistic view of cybersecurity, one that is more closely aligned with business risk and core business processes.
As a result, Sciemus believes that cyber attacks like WannaCry (WCry) provide evidence of the potential for cross-class cyber exposures, something insurance and reinsurance underwriters need to be extremely wary of.
As a result, Sciemus warns that “The Lloyd’s of London’s and Prudential Regulatory Authority’s demarcation of “silent” and “affirmative” cyber exposures is especially pertinent.”
Sciemus sees the potential for an event such as WCry to cause meaningful losses in insurance and reinsurance markets, as cyber coverage expands and the market grows an event such as this could see escalating losses due to business interruption costs, brand reputation and remediation costs.
As a result, every business sector can have exposure to such an event, not just the highly publicised NHS healthcare exposure. With attacks reported across over 150 countries in the world now, the reach of an attack like WCry highlights the potential for a truly major industry loss for re/insurers from this kind of incident as the cyber risk market grows, the need for a disciplined approach to underwriting and a new thinking around how to analyse, understand and quantify cyber exposures.
The potential for business interruption losses to re/insurers is clear, as major organisations such as Nissan had to shut down their systems, Sciemus explained.
The WCry event also demonstrates that, on questions of aggregation and accumulations, “a traditional insurance industry focussed lens is relatively immaterial,” Sciemus said.
The impact of an attack like WCry is “tied to the underlying reliance on technology for core business processes and each entity’s respective cybersecurity posture” which can vary wildly across sector and industry. What data they carry or records they hold is immaterial here.
The WannaCry event also demonstrates the need for the cyber insurance industry to be cognizant of the issues surrounding legacy systems and the difficulty in removing them in many sectors and businesses. These legacy systems and their exposures are going to be part of the underwriting landscape for years to come and so underwriters need to appreciate and understand how they affect the overall exposure base.
Being a worm that self-propagates, WCry will also raise fears of so-called “silent” cyber losses.
“This “in the wild”, non-targeted aspect of WCry will create concerns around accumulation for that insurance capital providing “silent cyber” coverage for “cyber all-risks” exposures such as system failure,” Sciemus explained.
As events such as this could increase in number and prevalence, as crime actors see them as an easy way to have a massive impact across sectors and borders, the insurance and reinsurance implications are huge (even if losses aren’t right now).
Sciemus explained the need for a fresh approach to cyber risks; “WCry will hopefully serve as the catalyst for an approach to exposure modelling that focuses on an understanding of these attacks rather than an indeterminate view of impact observed, particularly when the approach to underwriting, risk and capital management is heterogeneous.
“Cyber risk modelling should appropriately capture or reflect an exposure such as WCry; ultimately, cyber risk management is increasingly centric to enterprise risk management with the convergence of engineering and technology.”
Essentially, WannnaCry forces a new look at cyber and a fresh approach is required. In the context of this type of attack; underwriters cannot rely on catch-all exclusions, including cyber for free in property covers is downright dangerous to underwriters businesses and real expertise is required to understand the method, meaning and mode of cyber attack.
“WannaCry is helping (re)insurance capital model cyber risk in the context of converged cyber exposure rather than the more narrow actuarial focus on de-linked outcomes,” Sciemus concluded.
As we wrote yesterday, the forecasts for global cyber insurance underwriting suggest a $14 billion market by 2022 and an attack like WannaCry will stimulate demand for cyber cover.
Sciemus highlights the need for a fresh approach to underwriting, both to provide better cyber risk transfer products to clients and to ensure underwriters have a clear understanding of the exposure they are assuming.