The WanaCry ransomworm has caused insurance companies really to take notice. Customers have started to file damage claims, it is a bit early however to see the insurance industry's full exposure to this recent malware pandemic. For insurers, the main threat regarding WannaCry is not about any one individual company that gets infected but rather as an aggregated risk.
The estimated total financial damage caused by WanaCry in just the initial 4 days would exceed a billion dollars, looking at the massive downtime caused for large organizations worldwide.
Cyber-security policies are a fast-growing new insurance market, pundits predict 5 billion in premiums by 2020. Organizations buy policies so that in the event of a data breach or ransomware infection they can file a claim and get help to recover costs and remediate damage.
But... How About Pre-existing Conditions.
"The WannaCry worm is one of the most significant and virulent forms of malware ever seen and therefore the insurance industry is taking notice," Pascal Millaire, vice-president and general manager for cyber-insurance at Symantec, told eWEEK.
"Insurers underwriting cyber-risk can handle ten loses or a hundred loses, but when there is a major systemic event that can lead to thousands or tens of thousands of simultaneous claims,"Millaire said. "At that point there are solvency issues that can threaten the future of an insurer."
So insurers try to limit their risk, similar to medical insurance where the issue of pre-existing conditions has seen a lot of controversy.
Three Things To Be Aware Of In the Fine Print
There are three issues you need to be aware of when you buy a cyber security policy, or when you review your existing policy:
- Is a known vulnerability that you have not patched a pre-existing condition?
- Should an un-patched system be covered under a clause for errors and omissions?
- When an employee falls for a phishing attack and infects the network that way, is that covered?
"Different policies will respond in different ways on what is covered and what is not," Millaire said. This means you need to have your legal department look into this carefully.
As an exception, WanaCry exploited a patched Microsoft vulnerability and spread like a worm, as opposed to 95% of ransomware that spreads through email and social engineering. Cyber insurance normally does not pay out when employee error was the cause of the infection.
Looking specifically at WannaCry, Millaire said that it's to early too tell at this point if WannaCry will have an impact on cyber-insurance premiums in the months ahead. I strongly suggest though that if your organization now is looking into buying cyber-insurance, you get quotes from several sources and very carefully analyze what is covered in each scenario.
Stepping employees through new-school security awareness training where they get trained with frequent simulated phishing attacks is an extremely effective way to bring down the risk of ransomware infections.
Now is the time to innoculate your employees against ransomware attacks. Get a quote for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters will never catch all of it. Get a quote and you will be pleasantly surprised.
Don't like to click on redirected buttons? Cut & Paste this link in your browser:
