Wannacry cyber attack exposes vulnerability to ransomware; potential issues with cover

The WannaCry ransomware attack raises some interesting considerations when seen through the lens of cyber insurance. The attack infected over 230,000 computers in 150 countries. Notable victims include the NHS, FedEX and Telefónica.

It will be interesting to see whether this attack drives any noticeable uptake in cyber insurance among businesses. Previous attacks, such as TalkTalk in 2015, may have been dismissed by businesses (rightly or wrongly) on the grounds that it was a unique set of circumstances affecting a single business. The WannaCry attack is a good example of how indiscriminate a cyber event can. Businesses, individuals and government bodies have all been affected in equal measure: much like an infectious disease, ransomware knows no class. Query whether this will serve to focus the minds of board members.

Businesses with cyber cover may now be checking their policy wordings. WannaCry exploited a Windows vulnerability that was patched two months before the attack. Only computers that had not been properly updated were affected by the attack. Given this, what was the cause of the loss? The attack or the failure to update systems? In a cyber policy, such questions may hinge on whether an attack is a ‘direct or indirect’ cause of the claimed loss. On the WannaCry facts, a policy requiring that the insured event be a ‘direct’ cause of the loss would likely not respond. The direct cause of the loss was the negligent failure to update systems. This breaks the chain of causation.

Variations on the ransomware are already in circulation. Policies and PCs worldwide are being patched.