‘WannaCry’ ransomware cyber-attack highlights protection gap outside US

A massive ransomware worm caused damage across the globe over the weekend of May 13-15, 2017, stopping car factories, hospitals, shops and schools.

Starting first in the UK and Spain, the malicious WannaCry software quickly spread globally, blocking customers from their data unless they paid a ransom using Bitcoin, including UK’s health care system NHS, Spain’s telecoms firm Telefonica and French carmaker Renault.

Unlike the US, where the cyber insurance market is comparatively well developed, elsewhere in the world such attacks may leave affected organisations with millions of dollars of losses due to a low take-up of cyber insurance cover.

“Cyber is a relatively new type of insurance cover,” specialist insurer Beazley said in a statement.

Ransomware attacks are very difficult to defend against – backups are really the only defence, Beazley noted.

Firms face major costs

“The main costs of such an attack are business interruption, costs of recovering from backups,” the insurer noted.

The industrial-scale global cyber-attacks with 200,000 victims across 150 nations including Britain’s National Health Service and the Russian Federation’s Interior Ministry were no freak coincidence, said risk management software and services company Russell Group in a statement.

“Organisations need to boost their software upgrades to bolster defences against such risks, while governments need to accelerate the process of regulation in an increasingly vulnerable connected world,” said Russell Group managing director Suki Basi.

The overall cost of getting businesses going again could run into the billions of dollars, with companies in Europe, including Russia, and Asia particularly vulnerable, Reuters reported May 15.

Companies that were not prepared for WannaCry can expect to rack up business interruption costs that far exceed a ransomware payment, Reuters cited Kevin Kalinich, global head of Aon’s cyber risk practice, as saying.

US firms are better protected

US firms are a step ahead oft the rest of the world when it comes to cyber protection. Nearly nine out of 10 cyber insurance policies in the world are in the US, Kalinich told Reuters. The annual premium market stands at $2.5-$3 billion, according to the news agency.

“Our research indicates US businesses have better processes and procedures in place,“ said Matt Webb, group head of cyber at Hiscox.

The faster development of the US cyber market was driven by an early introduction of state breach notification laws. Greater transparency motivated companies to buy cover to protect them from damages they were required to report.

Businesses were facing significant costs when they had to figure out what happened when for example a laptop was lost, how many different states and regulators they had to notify, Robert Parisi, managing director and cyber product leader at Marsh, had previously told Intelligent Insurer.

An upcoming European Union directive is expected to have a similar effect on the continent.

The looming introduction of new data breach regulations in Europe is likely to boost demand for cyber insurance, offering insurers and reinsurers a potential growth market at a time of stagnating demand in other lines, according to experts.

“The mandatory disclosure laws being introduced under the European privacy directive, the General Data Protection Regulation (GDPR), which comes into effect in 2018, is much stronger, with much more significant ramifications than any US law,” Kalinich had previously told Intelligent Insurer.

GDPR will replace Directive 95/46/EC and will be directly applicable in all EU member states from 25 May 2018 without the need for implementing national legislation. It sets standards for data protection not only for companies within the EU but also for those outside the EU which are offering goods or services to EU data subjects. GDPR will carry fines of up to 4 percent of annual turnover for the mishandling of data breaches and stipulates that data breaches have to be reported within 72 hours.

Cyber attacks are expected to rise

The recent ransomware attack offers just another proof that stronger cyber protection is necessary, not only in Europe, as risks are expected to rise.

A recent study by US insurer AIG showed that nine in 10 global cyber security and risk experts believe that cyber risk is systemic and that the recent ransomware attack should not come as a surprise.

Industries most likely to face a systemic attack in 2017 include: financial services (19 percent), power/energy (15 percent), telecommunications/utilities (14 percent), healthcare (13 percent) and information technology (12 percent).

More than one-third of the experts estimated the likelihood of a simultaneous attack on as many as 50 companies at greater than 50 percent in the next year.

Around 20 percent of experts saw an even greater threat, predicting a better than even chance that as many as 100 companies will be attacked.

Michelle Crorie, partner at law firm Clyde & Co, commented: „Data breaches and cyber hacks are now one of the biggest threats large businesses are facing around the world.“

Hiscox’s Webb added: “We have seen a rise in ransomware attacks over the last 24 months.“

“Hackers are incredibly crafty at finding vulnerabilities. [...] “Costs to businesses are not limited to any initial ransom payments.  The investigation and restoration of files can be prohibitive, and there may also be business interruption costs.

Governments need to act

“Friday’s events remind us how devastating ransomware attacks can be and how quickly they can spread”, Webb noted.

The incident over the weekend of May 13-15 exploited a Microsoft vulnerability which allowed the malware to spread more easily.

„The governments of the world should treat this attack as a wake-up call,“ according to a Microsoft statement.

All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack, the software maker said in the statement.

Governments need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world, Microsoft suggested. „We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.“