The WannaCry ransomware is one of the most significant and widespread cyber security attacks ever experienced. In addition to causing substantial disruption to businesses globally, it also illustrates the emerging risks that the insurance industry faces when it comes to cyber attacks.
This article provides background about the attack, which continues to unfold, and calls out implications for the insurance industry as cyber risk permeates more aspects of the global economy.
On May 12, 2017 a new variant of the Ransom.CryptXXX family of ransomware began impacting a large number of organizations, particularly in Europe.
WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted. It propagates to other computers by exploiting a known SMB remote code execution vulnerability in Microsoft Windows computers. (MS17-010) The exploit, known as “Eternal Blue” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.
There are reports of infections in over 100 countries, including high profile targets and many others that remain unreported in the public domain. At least 16 National Health Service (NHS) organizations in the UK have been hit with some outpatient services being canceled; Deutsche Bahn has confirmed some passenger information displays and ticket machines were inoperative; and Spanish telecom company Telefónica confirmed the ransomware has impacted parts of its IT system.
More information about the security implications of WannaCry is available from Symantec in the article “What you need to know about the WannaCry Ransomware”. But in addition to impacting the security industry, the event has substantial implications for insurers.
What does this mean for insurers?
1. Insurance Aggregation Events are No Longer Geographically Constrained: Unlike natural catastrophes, where insurers have a geographically contained footprint, companies impacted by cyber attack cross geographic boundaries and are difficult to track. Big data analytics from major technology companies with a large install base can provide modeling for how such a risk is likely to spread. For example, in 2016 Symantec tracked 357MM new malware variants leveraging a detection network of 225MM devices in 157 countries. Ransomware is a particularly pernicious form of malware with 464K detections (up 36% in 2016). Data-driven methods will be needed to model historical events and understand what learnings they provide about the impact of cyber aggregation scenarios, like WannaCry.
2. Need to Stress Test Insurer Losses Against Cyber Aggregation Scenarios: Cyber risk is embedded into all aspects of the global economy and therefore into policies that spread far beyond standalone affirmative cyber data loss insurance. Vendors, such as Symantec, are partnering with insurers to develop and model these scenarios based on the highest frequency and severity potential aggregation events.
The spread of self-propagating mega malware taking advantage of vulnerability in a systemically important operating system (much like this month’s WannaCry attack) is a core scenario (scenario 19) in the probabilistic cyber aggregation model that Symantec Cyber Insurance is releasing this summer. Similarly, the service interruption to a major cloud service provider and an attack on a DNS provider were all scenarios envisaged by modeling firms such as Symantec and were realized in the past 12 months with the AWS S3 outage and the Mirai DDOS attack. (For more information see, “3 Reasons Why the Insurance Industry Will Never Be the Same After the Mirai DDoS Attack”).
Scenario-based approaches can never cover all eventualities but recent evidence suggests the events that most concern cyber experts are indeed the events that have transpired.
3. ‘Underwriting Due Diligence’ is a Critical First Line of Defense Against this Novel Risk: Although cyber risk is new, it is a risk that can be partially understood with specialist cyber insurance underwriters that know what questions to ask. Best in class enterprise security with multiple layers of protection is often needed for tackling advanced persistent threats seeking to infiltrate sensitive data in a targeted attack. In the case of WannaCry, with an untargeted attack, families who simply have our Norton product have protection against WannaCry. Having underwriters that understand the importance and having minimum security standards in place, like leading endpoint protection, is an important first start.
4. Security Analytics can Supplement Insurance Data Sets to Inform Underwriting Practices: The current WannaCry malware exploits a vulnerability in Microsoft that has been publicly known since March 14th 2017, when an update was made available by Microsoft. These vulnerabilities are exposed all of the time. For example, since the WannaCry announcement in the May 2017 Microsoft update alone 17 critical vulnerabilities were rated critical. Underwriters can ask their prospective insureds about patching cadence however the answer, if they get one at all, is not as simple as “we patch every X days”. Insurers can supplement this data with reference tables from Symantec Cyber Insurance with benchmarks for aggregated peer comparables and refine underwriting strategy based on granular security data.
5. Discover Vulnerabilities with Automated Underwriting Intelligence: In some cases, insurers do not even need to ask questions about whether a particular technology is in place as outside-in tools from companies like Symantec can observe externally observable signals associated with IP addresses and websites owned by a company. For example, Symantec’s website security scans in 2016 found that 24% of websites had no known vulnerabilities, 67% had non-critical vulnerabilities and 9% had critical vulnerabilities. This data can rapidly prioritize which insureds a carrier will underwrite.
6. Insurers as Trusted Advisors During Major Cyber Events: With the rapid growth of cyber insurance, insurers have become a trusted source of guidance in terms of what to do when such attacks happen. Since news broke about the WannaCry ransomware, insurers have been a key source of guidance for corporate clients about what is happening and what to do about it. When insureds are hit by ransomware, insurers can be a key source of guidance in advance of a breach and post-breach inevitably insurers have dealt with ransomware sometimes hundreds of times before and can be guides to taking the appropriate responses and bringing together the appropriate legal, communications and security teams to respond.
Symantec is working with insurance partners, including our partnership with Marsh & McLennan Companies reinsurance brokerage division Guy Carpenter, to model cyber risk with analytic software built specifically for cyber insurers. Symantec’s 23 scenario insurance cyber catastrophe model will be released in late summer 2017, however, in response to the urgent need for insurers to understand this risk, we are helping our insurance clients understand the risk of our vulnerable operating system malware scenario in advance of that release.
WannaCry is one of the most significant malware events seen to-date but it will not be the last to pose a systemic risk to the global economy.
Understanding emerging cyber risk may seem challenging but as interconnected technologies permeate all aspects of the global economy, the problem is too important for insurers not to understand. Addressing cyber risk will require collaborations between the cyber security industry, insurers and our mutual clients.
Together, the cyber security and insurance industries can make our economy more resilient to the most important risk of the 21st century.