The latest version of ransomware to wreak havoc on businesses and utilities around the globe has several names: Petya, NotPetya and GoldenEye, but the outcome is still the same — major disruption.

The virus started its virulent computer attack on June 27th and according to antivirus expert McAfee, businesses in the U.S. Canada, Great Britain, the Ukraine, China, Brazil and Australia were severely impacted. Even Russia reported that a major oil company and a steelmaker were affected.

Companies like U.S. law firm DLA Piper, Danish shipping magnet A.P. Moller-Maersk A/S, a number of Ukrainian banks, an Australian chocolate factory and even the worldwide operations of FedEx Corp. are just some of the entities assessing the damage to their operations. At ports around the world, terminal operators had to resort to their back-up plans or manual procedures, which severely impacted their ability to accept shipments, but allowed them to keep running.

|

More precise than WannaCry

Similar to the WannaCry virus that struck just a few weeks ago, Petya has targeted thousands of computers and demands a $300 ransom paid in Bitcoin. However, the similarity ends there. McAfee says that once a computer is infected, the virus is much more precise in what it infects. While WannaCry tried to infect every IP address possible, Petya determines whether or not a machine is a workstation or a domain controller with access to multiple IP addresses that can be infected within a network.

According to a UPI report, a cybersecurity researcher believes he has identified a "vaccine" which will work on Microsoft Windows operating systems and should protect individual computers. However, no effective "kill switch" has been identified to keep the virus from spreading to other computers.

For insurers it's a huge dose of déjà vu when they haven't recovered from the effects of the WannaCry ransom attack. Granted, the financial impact of WannaCry wasn't as severe in the U.S., but businesses in other countries are still dealing with the after affects.

Two weeks ago, a Honda auto manufacturing plant in Japan was forced to shut down because the virus had infected one of its production facilities. Several days later, the virus affected 55 speed cameras in Victoria, Australia, when a contractor accidently introduced the worm into the camera system.

computer locked by ransomware

Companies with cyber policies will likely only be responsible for the deductible and not the actual ransom. (Photo: Shutterstock) 

|

Claims impacts

In 2016, the Insurance Information Institute found that cyber incidents ranked third in terms of global business risk for insurers behind business interruption/supply chain risks and market development.

Now, insurers are bracing for more claims from another ransomware attack. "The types of claims insurers are likely to see will depend upon the insurance issued," explains Joan D'Ambrosio, a partner in Clyde & Co. "For cyber insurers with affected policyholders, there could be first-party expenses associated with retaining forensic experts to assist in determining whether the entity can decline to pay the ransom because there is adequate backup of the encrypted data."

|

Coverage triggered regardless of whether or not data is damaged

Russell Heaton, cyber class underwriter for ArgoGlobal, says coverage will be triggered regardless of whether or not any data is damaged. "Any costs above the deductible will likely be covered," Heaton says. This may include the forensic evaluation to determine the extent of the damage, restoration costs, public relations costs and the ransom itself, as well as other first-party expenses associated with the ransomware attack.

"Counsel also may need to opine regarding whether data was accessed or exfiltrated, which could lead to notification obligations, especially in the healthcare arena," adds D'Ambrosio. "In addition, there are likely to be first-party claims for business interruption if the company's systems were down or compromised for a material length of time, impacting normal business transactions; this is where we expect to see the majority of the claims arising from this incident. Finally, there is the possibility of third-party claims by customers or clients of the company if the attack caused the company to be unable to deliver required products or services."

cyber attack code

The continued number of ransomware and other cyber attacks highlight the importance of carrying cyber insurance. (Photo: Shutterstock)

|

Insurer risks

The biggest risk for insurers comes from aggregated losses. "The claims could be small in number," says Heaton, "but the event is global in nature and losses could be aggregated across multiple lines."

D'Ambrosio concurs. "In an increasingly connected world, it is not difficult to imagine realistic scenarios under which attacks on interconnected systems, such as infrastructure, could have a catastrophic knock-on effect across many companies and vast geographic areas at the same time."

|

Commercial insurers have greatest exposure

While reinsurers may bear some of the aggregated risk, commercial insurers will have the greatest exposure because they are more likely to underwrite the risk for multiple companies says Heaton.

Even though insurers offering cyber coverage are well aware of the impact from cyber attacks, their continued increase may encourage providers of non-cyber policies to consider adding cyber-related exclusions.

"Although many non-cyber traditional insurers have contemplated cyber exclusions, including ISO exclusions, specific cyber exclusions for the most part have not yet become industry standard in many classes of business," explains D'Ambrosio. "The recent increase in widespread attacks, affecting multiple industries and geographic locations, certainly may lead to an environment where non-cyber insurers increasingly add exclusions to make certain to avoid possible unintended exposures, frequently referenced as 'silent cyber' exposures."

She adds that these attacks will also "fuel growth in the already explosive cyber insurance market, where insurers continue to develop the products to best address the emerging risks presented."

|

Cyber policies recommended

The increase in ransomware attacks only serves to highlight the continued need for all businesses to purchase some measure of cyber coverage. Heaton recommends that small to medium-sized companies consider purchasing at least $10 million in cyber coverage and that larger businesses consider carrying $100 million or more. "People often buy general liability and professional liability coverages, which exclude cyber. Any company with a network or online presence should buy a cyber policy," he advises.

computer as a crime scene after a cyber attack

Experts advise against paying the ransom since there is no guarantee that the hackers will actually be able to provide the key to unlock your data. (Photo: Shutterstock)

|

Ransomware breach?

Experts have some very specific recommendations for companies impacted by a ransomware attack.

"Don't pay the ransom," counsels Steve Ranger, U.K. editor-in-chief for TechRepublic/ZDNet because there are no guarantees that the hackers will be able to decrypt the information. "They've already locked up your machine once, don't trust them."

Ranger also advises backing up all systems to a second source of data that will give the company access to their records. And he recommends making sure all patches are up to date.

Heaton agrees that insurers need to encourage their clients to make sure they are constantly updating their systems, but says there are some challenges. "Larger companies take longer to patch vulnerabilities, since they need to be tested because the systems are more complex. We have to see what impact it will have on the system because it can actually have a negative impact, and that makes it more difficult to install."

|

'Playing catchup with ransomware'

Following a breach, companies should also notify their insurer and their cyber team to begin assessing the extent of the damage, learn how the attack entered the system, determine whether or not law enforcement or other government entities need to be advised, as well as identify how and when to notify customers or clients.

Heaton says that the reality is that "we will always be playing catchup with ransomware. We need to make sure we have strong IP security and event planning in place. Claims will happen and we need to address them as best we can. You lock up your other valuables and it's the exact same principle for cyber security."

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Patricia L. Harman

Patricia L. Harman is the editor-in-chief of Claims magazine, a contributing editor to PropertyCasualty360.com, and chairs the annual America's Claims Event (ACE), which focuses on providing claims professionals with cutting-edge education and networking opportunities. She covers auto, property & casualty, workers' compensation, fraud, risk and cybersecurity, and is a frequent speaker at insurance industry events. Contact her at [email protected]