RMS cyber risk management expert, Tom Harvey, called the recent WannaCry ransomware attack that hit businesses across the globe the world’s “first ever cyber-catastrophe,” he told Reinsurance News it demonstrates the systemic nature of the risk with “a single vulnerability resulting in hundreds of thousands of infected machines across over 150 countries.”
And the attack could have been significantly worse, as the WannaCry virus exploited a vulnerability that Microsoft had patched nearly two months ago – giving many companies the opportunity to plug the hole before being attacked.
A kill switch within the software helped to further alleviate potential damage as it allowed security experts to contain the spread to some extent.
“Thus, it is not a true zero-day. Had it been, the scale of this event – and potential losses – would have been many orders of magnitude higher.
“But while unprecedented this was not unexpected. RMS modeling scenarios show this kind of hacking campaign as just one of numerous types of extreme but plausible cyber-catastrophes,” Harvey said.
Only a modest $63,000 has been paid in ransoms so far – but ransom payments make up only a small proportion of the total losses insurers face.
And while it’s still too early to count the full cost of the attack for the re/insurance industry, Harvey highlighted the potential for claims and costs to be felt across a broader range of re/insurance sectors; “With 74% of cyber policies on the market offering cyber extortion coverage this is a loss that is still evolving.
“Firms with cyber policies will likely have triggered coverage for incident response, data and software loss, and even regulatory response costs. And that’s before business interruption is counted. With several large manufactures, hospitals and telecoms providers disclosing downtime, these losses will be significant.”
The risk management expert stressed that this was an issue that goes beyond cyber insurers, adding that within the soft property insurance market several insurers may see their non-damage business interruption (BI) coverage trigger, as well as insurers with Kidnap and Ransom books, who, Harvey says, “should look closely at their policies wordings to see whether they are exposed.”
And insurance, reinsurance and capital market underwriting and cyber focused data and analytics company, Sciemus Cyber, also recently reiterated that the event could be just the catalyst that the insurance and reinsurance market needs to stimulate a new approach to cyber risks, echoing Harvey’s forewarnings that re/insurers across a range of lines could be impacted by the attack, to suggest that a more holistic view of cybersecurity was needed.
The attack further underlines the greater collaboration required between the primary market and reinsurance capacity to offset the complex, costly and far-reaching impact of cyber risk, as well as the need for a broader approach and understanding of cyber risk that enhances understanding of exposures amongst the many businesses who have witnessed an event for the first time.
Therefore an adequate response to the ransomware attack will likely require increased coordination and collaboration between key providers, regulators, and consumers of re/insurance, who all face a similar dilemma of how to evolve in response to demands for cyber security and cover and unlock the huge potential of this risk to benefit companies and carriers.