A massive global cyberattack that began Friday illustrates the need for businesses to obtain robust insurance policies to cover everything from hackers' ransom demands to restore system access to business interruption losses, experts say.
The wide-ranging attack, carried out by hackers wielding ransomware dubbed "WannaCry," has hit public institutions and private business alike in 150 countries. Britain's national health system, FedEx and the Russian Interior Ministry are among the most high-profile of the tens of thousands of victims. The malicious program locks users out of their computer systems and blocks access to data until a ransom is paid.
While maintaining comprehensive cybersecurity measures is critical, broad insurance coverage is equally important for companies and institutions to protect themselves against risks such as the WannaCry attack, according to experts.
Here, experts discuss how companies can best shield themselves from the ever-evolving ransomware threat.
Identify All Potentially Implicated Policies
The actual ransom payment demanded by cyber-extortionists is rarely the greatest financial risk posed by a ransomware attack, experts say. The hackers behind WannaCry, for instance, are demanding just $300 in bitcoin from targeted users, and as of Monday afternoon, they had pulled in less than $60,000 in ransom payments, according to data from Elliptic, which tracks "illicit" bitcoin transactions.
However, an interruption in computer access — even if it only lasts for a few hours while a company is going through the process of making a ransom payment — can have potentially devastating consequences, particularly for small businesses and for health care providers and other institutions that treat injured patients. Britain's National Health Service, for instance, said Friday that 16 of its hospitals had been hit by WannaCry, leading to delays and cancellations.
While no injuries have been reported in connection with the hospitals' troubles from the ransomware attack, such risks remain within the realm of possibility and could carry another layer of exposure, according to experts.
"We could certainly see some type of bodily injury or malpractice insurance claims arise where an allegation is made that the facility is responsible not only for the patient's health but securing data so they can treat patients on an emergency basis," said Anderson Kill PC shareholder Joshua Gold.
Cyber policies usually exclude coverage for any claims stemming from bodily injury, so a company facing injury claims following a ransomware attack would have to look to a general liability or other policy for coverage. And policies in a company's arsenal may provide coverage for property damage and other losses resulting from hacking incidents, according to experts.
"When an event like this hits, policyholders should inventory of all of their insurance policies to see which ones get noticed," Gold said. "Even if one doesn't have a cyber policy, there may be other policies that respond to this type of loss. Property insurance policies often provide some measure of cyber protection. Following certain hacking events, the majority of policyholders have won the battle over whether there was 'physical' damage. Critically, property policies may also cover business interruption."