Hitachi Group Global Network




Middle East and Africa



What is WannaCry and its Transformative Effect on Cyber Insurance?
You are here: Home \ Cyber Law \ What is WannaCry and its Transformative Effect on Cyber Insurance?
Ransomware and cyberinsurance
Posted on Tuesday, May 23rd, 2017 by

Is Ransomware Covered By Your Cyber Insurance?


The WannaCry ransomware propelled cyber security and cyber insurance to the front news again, however this malware and the subsequent Adylkuzz attack this week may be game-changers. WannaCry is a takes advantage of a Microsoft Windows vulnerability that holds the infected computer hostage and demands that the victims pay a ransom to regain access to the files on their computer. The virus spread to over 150 countries and hundreds of thousands of computers, in thousands of companies around the world.


To learn more about ransomware, read these articles on how to protect your data from ransomware attacks and on ransomware and the law.


Ransomware is not a new phenomenon and companies have long been searching for ways to reduce their risks. Cyber insurance firms certainly gain visibility in the wake of the WannaCry damages as companies look to reduce risk. Rick Welsh, CEO of the insurance firm Sciemus, stated that “this is a seminal moment in the development of the cyber insurance market”.

The industry is believed to be worth between $25M and $4B (USD) in annual premiums, which represents a relatively small portion of the insurance market, but the cost of the premiums is expected to triple by 2020, according to CNBC.

The question arises whether most companies that were affected by the WannaCry ransomware were covered by cyber insurance. In fact, many companies outside of the United States do not have such coverage. The popularity of these policies in the United States can be explained by the mandatory data notification laws that have been in place for years. However, with the upcoming General Data Protection Regulation in Europe and the expected coming into force of the mandatory notification requirement of the Canadian’s Personal Information Protection and Electronic Documents Act (PIPEDA), this type of insurance is likely to gain further popularity in these regions.

Despite the increasing popularity of cyber insurance, limits to coverage are critical to insurance companies managing risk. For instance, companies that failed to update their Microsoft Windows software with the latest patches or used pirated software were likely not covered. Therefore, cyber insurance will never be able to replace due diligence or information security protection controls. Organizations with controls in place and that follow NIST or ISO security frameworks are even subject to lower premiums.


Related post: How to reduce your cyber insurance premiums with information security controls


Cyber insurance policies are quite strict as to the types of incidents or circumstances that are covered. A law firm in Rhode Island recently sued its insurer for refusing to pay for the loss of business that resulted from a ransomware attack. A lawyer opened an attachment which contained a malware, leading to the encryption and holding hostage of all the firm’s documents.

The law firm eventually paid $25,000 USD in ransom but evaluated the loss of business at $700,000 USD since it could not bill hours during the crisis. The insurer refused to pay as the lost business income policy only applies to physical losses or damages to property at the business premises.

This statement is the subject of the conflict, with the law firm affirming that ransomware led to physical losses. According to The Merkle, a leading online news and research organization focused on the Cyber research and information, there are “lots of gray areas when it comes to cyber insurance”.


In Closing

If you decide to get cyber insurance, make sure to choose your cyber insurance parameters wisely. In the case of ransomware, cyber insurance might definitely be worth the premiums as it could cover the costs of the investigation, the ransomware, the notification, the PR agency to mitigate reputational damages, and credit monitoring and lawsuits resulting from any breach in sensitive data or service level expectations.

While cyber insurance can never substitute for leading edge IT security defense, it will mitigate risks in an increasingly risky cyber treat landscape. Cyber experts estimate that the next global cyber crisis is not so far down the road – will you be ready?


The World of Cyber Litigation and Compliance

Vanessa Henri
About author:
Vanessa is an academic and legal expert on data protection laws, as well as a certified data protection officer. Currently, Vanessa is Hitachi Systems Security’s Director of Legal and Compliance as well as Data Protection Officer. She oversees the performance of privacy advisory services by Hitachi Systems Security to its clientele, including services such as GDPR Posture Assessments. She advises boards of directors at the macro-strategic level on the implementation of privacy obligations through efficient reporting systems. She has published a variety of data privacy-related materials and has contributed as a speaker to various conferences about data protection laws, such as Code Blue, in Tokyo. Vanessa is a member of the Quebec Bar Association, and holds a master’s in laws from McGill University. She also teaches corporate cybersecurity practices at St Thomas University, in Miami, Florida. She is a certified Data Protection Officer.

Latest Webinars | Watch Now

Cybersecurity, Cyber Crime and Your Business — How to Strengthen Your Cybersecurity Posture – In collaboration with Cytelligence

Watch Now

Cybersecurity 101 for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now

Introduction to Technical Security Testing for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now