Currently, cyber insurance companies do not cover instances of human error. However, the recent WannaCry ransomware attacks have caught the attention of insurance companies around the globe.
Customers have started to file damage claims yet it is a bit too early to see the malware pandemic's impact on the insurance industry. For insurers, the main threat regarding WannaCry does not concern any individual infected company, but rather involves overall aggregated risk.
The estimated total financial damage caused by WannaCry in just it's first four days exceeds a billion dollars, largely caused by the hours of downtime for large organizations worldwide.
Now, cyber security policies are fast-growing in the insurance market, with pundits predicting five billion dollars in premiums by 2020. Organizations are buying these policies so that in the event of a data breach or ransomware infection, they can easily file a claim and get help to recover costs and remediate damages.
But... What About Pre-Existing Conditions?
According to Pascal Millaire, the vice-president of Symantec, insurance companies are noticing the significance of the recent WannaCry attacks.
He warns of the problem of major systemic events, like WannaCry, which could potentially lead to hundreds of claims at one time, grossly overwhelming insurance companies. Similar to medical insurers, cyber insurance companies also try to limit their overall risk, which includes controversial policies regarding pre-existing conditions.
Three Questions to Ask
There are three questions you should ask when shopping for a cyber security policy or when reviewing your existing policy:
- Do you know of any vulnerabilities that you have not patched or other pre-existing conditions?
- Should an un-patched system be covered under a clause for errors and omissions?
- When an employee falls for a phishing attack and infects the network, is that covered?
It's important to remember that not all cyber insurance companies offer the same level of coverage. That means you should always have your legal department look over cyber insurance policies carefully.
An estimated 95 percent of ransomware spreads through email and social engineering, yet WannaCry exploited a patched Microsoft vulnerability and spread like a worm. Keep in mind that the majority of cyber insurance does not pay out when employee error was the cause of infection.
Looking specifically at WannaCry, Millaire says that it's too early to tell if it will have a significant impact on cyber insurance premiums in the months ahead. However, he strongly suggests that if your organization is currently looking into purchasing cyber insurance, get quotes from several different companies and carefully analyze each option.
It’s time for security awareness training that simulates phishing attacks, which is extremely effective way to decrease your organization's risk of ransomware infections.