Following the recent WannaCry computer system attack, it has been reported by Reuters citing insurers that many companies outside the United States may lack the cover needed, potentially leaving them with millions of dollars of losses because there has been relatively little take-up of cyber insurance.
The massive ransomware worm, called WannaCry, caused damage across the globe and locked up more than 200,000 computers in more than 150 countries. The damage was seen across car factories, hospitals, shops and schools. Cybersecurity experts said the spread of the virus had slowed, but the respite might only be brief.
The overall cost of getting businesses going again could run into the billions of dollars, with companies in Europe, including Russia, and Asia particularly vulnerable. According to Mr Kevin Kalinich, global head of Aon's cyber risk practice, almost nine out ten cyber insurance policies in the world are in the US. The annual premium market stands at US$2.5-$3 billion. The biggest reason for the larger penetration in the US, said Mr Bob Parisi, US cyber product leader for insurance broker Marsh, "is that the US has been living with state breach notification laws for the past 10 years." The greater transparency created an incentive for US companies to get insurance to compensate for damage from incidents they were required to report.
Companies that were not prepared for WannaCry can expect to rack up business interruption costs that far exceed a ransomware payment, said Mr Kalinich. Organisations hit by the attacks, which lock up computer systems until the victims pay a ransom, included Britain's National Health Service, French car manufacturer Renault, and Spain's Telefonica. West Coast cyber risk modeling firm Cyence estimated the average individual ransom cost from Friday's attacks at US$300, and the total economic costs from interruption to business at US$4 billion.
The US Cyber Consequences Unit, a non-profit research institute that advises governments and businesses on the costs of cyber-attacks, estimated more modest total losses. They were likely to range in the hundreds of millions of dollars, and unlikely to exceed US$1 billion, the group forecast.
Demand in Europe was expected to rise even before the cyber attacks, after an EU directive is implemented in mid-2018 requiring companies to notify authorities of a data breach. However, insurers are likely to more carefully scrutinise risks they take on as well as how they word policies and exclusions, Mr Kalinich said "they will want to pick the companies that are most prepared." Other firms might be eligible for coverage, but more exclusions may apply, he said.