The WannaCry ransomware attack of Friday 12 May is now petering out, although its effects linger on in some places and fears of follow up attacks remain. As well as testing the IT systems and preparedness of its victims, events such as this also test the wordings of the cyber policies and other traditional covers on which many insureds rely.
Based on what we know about the WannaCry attack so far, it seems to have been malware downloaded onto the victim's system (perhaps via an email link) and once there exploiting a Windows security vulnerability. Once downloaded and activated, WannaCry seems to have been able to spread to other machines with the same vulnerability. This vulnerability, more prevalent in older Windows software such as Windows XP, was identified in around March (after its presence was leaked online) and a patch was issued by Microsoft. Reports suggest hundreds of thousands of computers were affected across the globe with hotspots in the UK, Russia, Spain and the US.
The effect of WannaCry is to encrypt or 'lock' data on the machine so that it cannot be accessed unless a ransom of around $300 in Bitcoins is paid. This effectively makes the infected computer unusable to a significant extent, and in a working environment has either stopped processes working or degraded capability as users try to work without the data or without the affected computer system. It is not clear if paying the ransom will restore all capability but in any event affected machines will have to be thoroughly tested and updated – if they are used again at all. Huge disruption inevitably results from event like this and financial losses can be significant.
But what if you are an insurer providing cover for business interruption losses or cyber-attacks? How are these events likely to impact on you?
First of all it does of course depend on the policy wording concerned but the first issues for insurers (and their insureds and brokers) will be:
- Is there an incident response service under the policy and has it been called upon to deal with the immediate effects? There are time critical aspects to WannaCry but there could still be time to take steps to isolate the problem and restore from back-up systems.
- If there is business interruption cover does it respond to cyber events? If it is dependent on physical damage taking place first, probably not.
- If the disruption caused by WannaCry means insureds breach their duties to others, will the ensuing claims fall within standard liability cover? In many cases they will but it is not always clear – particularly where standalone cyber cover is available to meet this type of loss instead.
The WannaCry type of scenario is a great test of how cyber cover really responds and could test some wordings. Cyber insurers will be thinking about a range of issues including:
- What event triggers the cyber cover? Is it the ransom demand or the infiltration of the malware onto the system – which could have been some time before and may pre-date the policy period or a retroactive date.
- Are security vulnerabilities of this type covered? Malicious code, such as WannaCry, will often be within the definition of cyber security incidents in cyber policies - but some are more focussed on the loss of third party information and data breaches.
- Has the insured taken reasonable steps to prevent the loss if using unsupported or unpatched software? Are known or preventable losses excluded?
- What level of cyber extortion support does the policy provide? The WannaCry ransom appears to have been small but if an organisation experiences the WannaCry attack across hundreds or thousands of machines – how will any aggregation wording operate?
It has often been said that a high profile cyber incident may be what the cyber insurance market needs. It will be interesting to see whether the WannaCry attack kicks off a spike in insureds taking out cyber cover.