Global ransomware attack could leave $166bn 'insurance gap'

Out-Law News | 01 Feb 2019 | 9:25 am | 2 min. read

Businesses around the world could be exposed to losses totalling $166 billion in the event of a major ransomware attack, and the cost to insurers of paying out on claims covered by cyber insurance policies could exceed what the total value of the premiums they collect from those policyholders, according to a new report.

Researchers at Nanyan Technological University in Singapore, together with insurance industry and academic experts, developed a scenario which highlighted the potential for a "concerted global cyber attack propagated via malicious email" to cause disruption and losses across sectors such as retail, manufacturing and healthcare on a global scale.

The research also found that insurers are "significantly exposed to a contagious malware event".

According to the scenario, malware is spread throughout networks after an email containing the computer virus is opened. The malware encrypts all the data on every device connected to the networks impacted, and within 24 hours affects 30 million devices worldwide. To regain access to their data, organisations are required to pay a ransom fee to the attackers.

The researchers predicted that in the worst case the ransomware attack would cost companies $193 billion. They said, though, that just $27.3bn of the economic losses would be covered by insurance policies. The report suggested most of the cover would address losses stemming from business interruption, but it also accounted for costs associated with cyber extortion, data loss and incident response that would be insured.

However, according to study, while $22bn of the losses would be covered by dedicated cyber insurance policies, this is more than three times the value of the current estimated market for commercial cyber insurance. The total value of premiums from dedicated cyber insurance policies is thought to be around $6.4bn.

"This scenario emphasises to organisations – individual entities, industry associations, markets and policy makers – the importance of raising awareness of the risk, assessing the potential damage it could cause, and integrating effective responses within their business-as-usual practices," the report said.

"There are lessons for the insurance sector, too, as the report also highlights potential insurance policy, legal, and aggregation issues in cyber insurance offerings. Insurers should make explicit allowance for aggregating cyber-related catastrophes. To achieve this, data collection and quality is important, especially as cyber risks are constantly changing," it said.

According to the report, growth of the cyber insurance market is "both necessary and inevitable". It said the increase in cyber attacks in Asia has been spurring recent growth in the market, and predicted "further insurance take-up" in future. It also indicated that the introduction of the General Data Protection Regulation (GDPR) in Europe could spur growth in the region, and pointed to continuing year-on-year growth in the US, which is the world's most developed cyber insurance market.

"Unless properly protected and segregated, back-up systems are susceptible to ransomware attacks, leading to increased, and avoidable, business interruption losses," cyber risk expert Seaton Gordon of Pinsent Masons, the law firm behind Out-Law.com, said. "Ransomware presents particular risks to legacy supervisory control and data acquisition (SCADA) systems in the industrial sector, and to 'patchwork' IT systems that are made up of many different pieces of software, particularly common following a merger of two companies, which may not mesh seamlessly."

"Businesses should be prepared to report ransomware attacks as a personal data breach under the GDPR. If they have not already done so, they should develop and test a cyber incident response plan," he said.

Reinsurance firm Swiss Re recently said that the global market for personal cyber insurance could grow to be worth more than $3 billion by 2025.