The massive WannaCry cyberattack on 12 May 2017 demonstrates the need to insure against the risks created in today’s interconnected online world.
WannaCry – also known as WannaCrypt, Wana Decryptor and WyCry – is a ransomware that encrypts or scrambles the data on computers running on Microsoft Windows operating systems. The only thing the computer user sees is a screen demanding a $300 (£230) payment in bitcoin to decrypt the machine and free the data.
WannaCry exploits weaknesses in Windows uncovered by researchers at the US National Security Agency (NSA). Those weaknesses were documented in a report stolen from the NSA by hackers and released online by WikiLeaks. Cybersecurity experts think ransomware bandits read the report and designed WannaCry to exploit those weaknesses.
The NSA is responsible for the WannaCry attack because it failed to share data about vulnerabilities with tech companies, Microsoft President and Chief Legal Office Brad Smith charged in a blog post. Smith believes that government cyberwarfare capabilities are a major risk because techniques developed by spy agencies often fall into the wrong hands.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote.
WannaCry affected more than 150 Countries
The WannaCry assault was one of the most extensive cyberattacks in history. WannaCry infected hundreds of thousands of computers in more than 150 countries. Victims ranged from a large portion of Britain’s National Health Service (NHS) to 40,000 businesses and organizations in China.
Companies affected by WannaCry included Hitachi, Renault, PetroChina and Nissan. There was also a risk to public safety in India where more than 100 systems of the police department in Andhra Pradesh were affected by the virus. Computers at the power utility in Balurghat Bengal were also infected by WannaCry.
In the United State FedEx customers were unable to track shipments because of WannaCry. Computers operating on old software such as Windows XP were most vulnerable to WannaCry. The NHS was infected because many of its systems rely upon XP. Chinese organizations were extremely vulnerable because many of them use bootlegged versions of Windows that lack the protections of the latest generation Microsoft products.
The WannaCry danger is far from over, cybersecurity researchers uncovered five imitations or variations of the ransomware in development on 15 May, Bleeping Computer reported. They even found a program called the Aron WanaCryptor 2.0 Generator that is supposed manufacture new versions of WannaCry.
Driving demand for cybersecurity
WannaCry exposes the risks of today’s interconnected world but it also reveals tremendous opportunities for insurers. American insurance companies wrote $1 billion (£770 million) in cyber insurance premiums in 2015, Fitch Ratings estimated.
Sales of cyber insurance policies might be worth $20 billion (£15.47 billion) by 2020, Fitch Ratings Managing Director James Auden told Insurance Journal. The actual value of such policies might be far higher after high profile events like the WannaCry attack.
The largest writer of cyber coverage policies in 2015 was the American Insurance Group (AIG) which issued 16,418 policies worth $215 million (£166 million) in the United States in 2015, Fitch Data indicates. Other major players in the field include Chubb Limited, XL Group Ltd and Berkshire Hathaway Inc.
The amount of cyber insurance written is still limited because the profitability of the coverage is still unknown. Although events like WannaCry and the 21 October 2016 attack on major US websites including PayPal, Netflix and Amazon by the Mirai botnet might increase the profitability by raising awareness of the risks.
The biggest obstacle facing issuers of cyber insurance is the difficulty in evaluating cybersecurity measures. Even though worldwide spending on cybersecurity is expected to reach $1 trillion (£770 trillion) by 2021 it is often impossible to gauge its’ effectiveness.
Serious holes remain in many networks including obsolete software, fraudulent and ineffective security products and a worldwide shortage of cybersecurity professionals. Organizations are struggling to fill one million cybersecurity job openings a labour shortage that will grow to 1.5 million by 2019, Cybersecurity Ventures reported.
These security shortcomings will increase the demand for cyber insurance and the potential risks to insurers. Risks include massive claims and expensive litigation over cybersecurity claims.
Another major risk to insurers is the massive investment in cyberwarfare capabilities by governments in the United States, United Kingdom, China, Russia and elsewhere. The WannaCry attack demonstrates how easily official cyberweapons can fall into the hands of criminals and terrorists.
WannaCry demonstrates that cyber coverage will be one of the fastest growing and riskiest segments of insurance for the foreseeable future. Expect many new companies to enter the cyber insurance market, and new kinds of policies to appear in the future. Also expect to see major spikes in sales of cybersecurity policies whenever a big cyberattack occurs.