WannaCry Ransomware Raises Stakes for Cyber-Security Insurance

Insurance companies are already starting to see claims as a result of the WannaCry ransomware worm, though it's still too early to measure the full financial impact.

WannaCry Ransomware

The WannaCry ransomware worm has raised the level of awareness about ransomware among the general public and it is also a major event for the cyber-security insurance industry that aims to help indemnify organizations against financial losses.

The cyber-security insurance industry is a growing market, with forecasts predicting up to $5 billion in insurance premiums by 2020. The promise of cyber-security insurance is that in the event of a data breach, or ransomware event like WannaCry, organizations can make claims to help recover costs and remediate damage.

"The WannaCry worm is one of the most significant and virulent forms of malware ever seen and therefore the insurance industry is taking notice," Pascal Millaire, vice-president and general manager for cyber-insurance at Symantec, told eWEEK

Symantec's cyber-insurance business takes the company's data intelligence and expertise in cyber-security and provides software for insurers to help understand cyber-risk. Millaire said that Symantec is also creating new products in partnership with insurance companies.

For insurers, the primary implication of WannaCry is not about any one individual single risk but rather as an aggregated risk.

"Insurers underwriting cyber-risk can handle ten loses or a hundred loses, but when there is a major systemic event that can lead to thousands or tens of thousands of simultaneous claims,"Millaire said. "At that point there are solvency issues that can threaten the future of an insurer."

Symantec has a cyber-aggregation model for major events like WannaCry to help understand the costs that could face insurers. WannaCry is one of three examples that have surfaced in the last 12 months on large scale systemic cyber-risks. The other two events are the Mirai internet of things botnet attack in September 2016 and the Amazon S3 outage in February 2017.

"Fortunately each of the three events likely only had a modest financial impact on cyber-insurers," Millaire said. "However insurers can no longer look at their portfolios and ignore the fact that there are hidden cyber-aggregation risks, regardless of whether the insurer is writing a specific cyber-insurance policy or other policies that might get triggered by a cyber-catastrophe."

WannaCry Claims

Millaire said that some of Symantec's clients are already processing insurance claims as a result of the WannaCry ransomware outbreak. However, he doesn't expect  the number of claims to be extraordinarily high since WannaCry exploited a known vulnerability and there are strong security software barriers available to mitigate the risk. The WannaCry attack exploited a vulnerability in the Microsoft Server Message Block (SMB) service, that was patched with the MS17-010 advisory on March 14.

"The number of claims would likely be higher if an attack exploited a previously unknown vulnerability," Millaire said.

In medical insurance, a cause of much public debate has been around the issue of pre-existing conditions. Whether or not a known vulnerability, that an organization has not patched, is considered a pre-existing condition, is also a subject of debate. Millaire added there is also debate around whether an un-patched system should be considered under a clause for errors and omissions in a cyber-insurance policy.

"Different policies will respond in different ways on what is covered and what is not," Millaire said. 

While the WannaCry attack exploited a patched Microsoft vulnerability, the attack payload itself was ransomware, which is something that organizations can and do in fact buy cyber-security insurance coverage to protect against.

"Ransomware is one of the explicitly-covered events in many cyber-insurance policies," Millaire said. "The issue however is the deductible."

Millaire added the often the ransomware amounts are relatively low and it is only when there is some form of business interruption, notification costs or legal liability when coverage for ransomware attacks really kicks in.

Looking specifically at WannaCry, Millaire said that it's to early to tell at this point if WannaCry will have an impact on cyber-insurance premiums in the months ahead.

"We do know that WannaCry has led to an increased interest in cyber-insurance purchases," Millaire said.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.