WannaCry underscores a need for cyber hygiene and insurance
In the days following, headlines bemoaned the arrival of the long-feared “ransomware meltdown,” while critics jumped to blame Microsoft for product insecurities and condemned the National Security Agency for stockpiling vulnerabilities. While it’s easy to assign blame and stoke fear, policymakers should, instead, use the attack as an opportunity to encourage better cybersecurity behavior and sensible risk management practices – including cyber insurance.
Cyber insurance was first touted during the dot-com boom of the early 2000s, but has only recently grown in popularity. Like other types of insurance, cyber insurance offers financial protection from sudden and unexpected losses.
For instance, in addition to coverage for WannaCry-like ransom attacks, many policies now encompass a wide range of possible costs businesses may face associated with a breach, including regulatory fines, legal costs, public relations services and costs associated with internet downtime. Because cyberattacks can result in all sorts of unexpectedly large expenses, coverage designed to insulate a business from the financial shock of a cyberattack is vital.
In the case of WannaCry, the total illicit haul of the ransom is projected to be less than one hundred thousand dollars. Yet, downstream damages are expected to tally in the billions. In fact, one firm is projecting that up to $8 billion in global computer downtime costs may accrue to services ranging from hospitals and government agencies to car companies.
The consequences of that damage may, for some, be ruinous. According to Symantec, ransomware attacks have increased 36 percent from 2015 to 2016, while the average ransom has increased 266 percent in that time to $1077.
With the number of attacks on the rise, it is important to note that cyber insurance can both facilitate resilience and can also assist in the maintenance of system security. That’s because the underwriting process, during which the insurer assesses the risk it considers taking on, often requires a cyber risk assessment. Once a policy is written, specific policy terms often require adherence to basic security practices such as patching or regular network assessments. Companies that do not meet a threshold of cyber preparedness may not be eligible for coverage, may face higher premiums and could risk losing their coverage entirely. Put another way, cyber insurance coverage contributes to a culture of preparedness.
Cyber insurance take-up rates are growing, but the market is still evolving and penetration is uneven. According to a recent survey by Aon, only 33 percent of companies worldwide had cyber insurance coverage. Foreign countries are at a particular disadvantage when it comes to recovery because they hold less than 10 percent of all cyber insurance policies.
This is particularly worrying because WannaCry revealed a geographic gap in cyber preparedness. Russia and China saw the largest incidence of infected computers, suggesting that lax patching practices and overreliance on pirated or outdated systems is more common abroad. Those companies without coverage today face the full brunt of the costs associated with the WannaCry attack.
Though the domestic cyber insurance picture is better, more should be done to encourage coverage. For instance, while the White House’s recent cybersecurity executive order reiterated that cybersecurity is a priority area for the Trump administration, it was silent on the role cyber insurance can play in incentivizing agencies and their contractors to internalize cyber preparedness. This is a missed opportunity. The government can use the power of the purse to promote cyber insurance adoption in the market as a whole by requiring federal contractors to acquire certain types of cyber risk coverage.
High-profile cyberattacks like WannaCry highlight the need for cyber preparedness and cyber insurance. A policy approach that emphasizes both—and cyber insurance in particular as a market solution to the global ransomware problem—will be a boon for companies and consumers alike.
UPDATE (May 30, 2017): This piece originally cited a statistic attributed to the National Cyber Security Alliance that the alliance says is outdated.