The following is an opinion piece from James Stanbury and Ben Hobby, partners at RGL Forensics, an international forensic accounting firm.
The recent WannaCry ransomware attack has put into sharp focus the daily operational risks that face both the public and private sectors. The Press spotlight in the UK was understandably on the NHS, but the effects were felt by the private sector too and the cyber insurance market has responded accordingly. Indeed, the nature of the attack – its timing (on a Friday), its geographical reach over a broad range of industries and its seeming pinpoint on older operating systems – raises various issues for cyber insurers.
The focus of the attack was initially reported as being on XP systems (introduced in 2001), but more recently it seems that a significant majority of attacks have been on Windows 7 operating systems, which were first released in 2009. Microsoft released a patch to fix the vulnerability in March this year, but it transpires that various organisations and companies had not applied it or were using operating systems that were no longer supported by Microsoft. This does raise some level of concern as to how corporates’ senior management are prioritising cyber security as an operational risk and whether they are using their best endeavours to make system security as up-to-date as possible. In turn, the insurance industry may seek to focus more, in their policy wordings, on warranties regarding the currency of software updates.
Given the scale of the WannaCry worm, it is not surprising that it has been spoken of in terms of a “catastrophe” type loss. It presently appears that it is not, but the industry is now talking of not “if” but “when” another widespread cyberattack will occur. Although the reported number of 230,000 computers that were affected is not large relative to the total number of computers operating worldwide, it is the immediacy, dynamism of technological change and worldwide geographical reach that singles it out from other catastrophic insurance events. Natural disasters (such as hurricanes), which the property insurance market has faced for many years, give warning, are slower to evolve and are relatively localised – the opposite of a cyberattack.
Although the cyber insurance market has, for several years, been debating catastrophic events and exposures (in particular, the impact of the failure of a cloud service provider), WannaCry brings into focus how the market will, in future, approach evaluating probable maximum loss (PML). The lack of cyber data history is often cited as not helping the development of loss models and progress is being made in addressing uniformity in data collection, but it is the dynamic and changing nature of the cyber threat that hinders progress.
In evaluating PML, one of the many variables is timing: what day of the week an event occurs. The WannaCry worm was released on a Friday and so, importantly, before the weekend when, for some companies, production would have either stopped or been reduced in any event. For companies required to provide 24/7 service, like utility companies, the impact could have been more serious – Taiwan Power Company had some 800 computers affected by WannaCry, but luckily they were used for administration not electricity generation.
Any attack on business systems brings with it the prospect of business interruption and, more importantly, the need to focus on post-incident business continuity with remedial and restoration action first and foremost. If WannaCry had happened on a weekday, the outcome may have been quite different. That said, the financial effect does not always need to be substantial: as we regularly see in our claims reviews, companies can mitigate by working overtime, rescheduling orders or increasing production post-restoration.
WannaCry is now enshrined as a watchword. That a similar attack of such scale will happen again within the next year seems to be accepted wisdom and, therefore, will undoubtedly create challenges for insureds and insurers alike.
The preceding article was an opinion piece from James Stanbury and Ben Hobby, partners at RGL Forensics, an international forensic accounting firm. The views expressed within the article do not necessarily reflect those of Insurance Business.
Related stories:
Revealed: The WannaCry solution
Arc Legal and CETA announce cyber partnership