[BreachExchange] Widespread Ransomware Attacks: The New Norm?

Fri Jul 28 14:06:08 EDT 2017

http://www.lexology.com/library/detail.aspx?g=8e00247c-e74f-4a9b-b886-
01f7a5ea49f8

Global ransomware attacks such as WannaCry and the more recent Petya are
raising troubling questions regarding cyber risk aggregation, not only for
organizations across all industries and geographic borders but also for
their insurers.

In mid-June, a number of European and American businesses including banks
and power companies and even a large law firm reported a widespread
ransomware attack that exploited a similar Microsoft Windows vulnerability
WannaCry exploited earlier in the year. These broad and indiscriminate
attacks are adding complexity to cyber claims and urgency to cyber risk
management.

The types of claims insurers are likely to see from these and other
ransomware attacks will depend upon the insurance issued. Cyber insurers
with affected policyholders could see first-party expenses associated with
retaining forensic experts to assist in determining whether the entity can
decline to pay the ransom because there is adequate backup of the encrypted
data. Depending upon the policy, there could be coverage for the ransomware
payment, if the entity determines it will pay the ransom. In addition,
there may be other first-party expenses associated with privacy counsel to
guide the investigation and assist with the company’s decisions regarding
how to handle the ransomware attack, including liaising with law
enforcement.

One of the worrisome elements of ransomware attacks is the seemingly
inexpensive ransom demand, which leads some businesses to pay it, hoping
this will make the problem go away. A payment of $300 in bitcoin, the
amount demanded in the recent Petya attack, obviously is small compared to
the financial resources of a large organization. The danger is that such
payments will encourage further attacks and also these ransomware attacks
may not be limited to simply encrypting data; some attackers are using
ransomware to obscure other malicious activity. Impacted companies need to
be vigilant about this possibility and ensure thorough investigation.

If data is accessed or exfiltrated, victim organizations could face
notification obligations to individuals and/or regulators. Best practices
dictate organizations should seek the opinion of counsel regarding
notification requirements. In addition, there are likely to be first-party
claims for business interruption if the company’s systems were down or
compromised for a material length of time, impacting normal business
transactions; this is where we expect to see the majority of the claims
arising from the Petya incident. Finally, if notifications are required,
there is the possibility of regulatory investigations or third-party claims
by customers or clients of the company if the attack prevented the company
from delivering products or services.

Cyber insurance growth likely

Although many non-cyber traditional insurers have contemplated cyber
exclusions, including ISO exclusions, specific cyber exclusions for the
most part have not yet become industry standard in many classes of
business. The recent increase in widespread attacks, affecting multiple
industries and geographic locations, may lead to an environment where
non-cyber insurers increasingly add exclusions to make certain to avoid
possible unintended exposures, frequently referenced as “silent cyber”
exposures. In any event, there can be little doubt that the increase in
these types of widespread, indiscriminate attacks will fuel growth in the
already explosive cyber insurance market, where insurers continue to
develop the products to best address the emerging risks presented.
Accompanied by increasing regulation, such as GDPR in the EU, these high
profile widespread attacks are likely to act as a catalyst for the further
development of cyber insurance products.

As with any widespread risk that potentially can lead to aggregated losses
across multiple industries and multiple lines of insurance, the recent
global ransomware attacks present devastating loss potential for insurers.
In an increasingly connected world, it is not difficult to imagine
realistic scenarios under which attacks on interconnected systems, such as
infrastructure, could have a catastrophic knock-on effect across many
companies and geographic areas at the same time.

Reinsurers may have aggregated exposure to the “silent cyber” risks facing
direct non-cyber specific insurers, and many reinsurance wordings still do
not address cyber exposures. Certainly, aggregation and clash potentials
potentially arising from systemic, catastrophic cyber attacks are a concern
to reinsurers. At the same time, the current climate of evolving and
increasing cyber risk presents an excellent opportunity for reinsurers, as
primary insurers and policyholders look for greater security and more
stable risk transfer platforms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170728/b6104105/attachment.html>