The large-scale global ransomware cyber-attack over the weekend should serve as a wake-up call to many small and medium-sized businesses.
While the market for large corporations’ cyber insurance needs has significant penetration, small and medium-sized businesses take out far fewer cyber policies. But as the global ransomware attack illustrated: every business is potentially at risk from cyber criminals.
“I think this demonstrates the need for being insured, whether you’re a small or a large company,” NAS chief underwriter Mike Palotay said.
“This has been an indiscriminate attack. It’s not targeted,” he explained. “You don’t have a hacker behind each attack on each company – it’s really more of an automated thing. It’s basically just spray and pray, really. So you’ve got small companies who are experiencing outages and disruptions and having to pay extortions. And then you’ve got FedEx and the National Health Service [in the UK] and a bunch of much larger organizations experiencing problems.
“Small and medium-sized business are very, very underinsured. The last figures I saw for small businesses that buy cyber insurance were in the single digits. This might be a wake-up call.”
The number of companies attacked who have paid out – or claimed with insurers – is low. A UK company tracking ransom payments through Bitcoin (the cyber criminals’ payment choice in this attack) was only about $50,000 yesterday. The attack was launched on Friday.
However, the widespread attack also brought to the fore a potential problem in the way insurance is priced, Palotay said.
“It does speak to why underwriting large books of cyber insurance is so challenging,” he said. “The aggregation potential is certainly there, and there’s been a big focus on that in the last few years. And rightly so. There are big, big aggregate numbers out there for the leading insurers and when something like this happens I think it’s a big wake-up call to everyone that maybe rates are getting too low and maybe we should be more careful. Hopefully it’s a kind of come-to-Jesus moment.
“The market has been growing fast and rate pressures are getting pretty significant. I don’t think the rates are really taking into account the substantial aggregation exposure from something like this, where you’ve got an automated malicious-code attack that targets a widespread vulnerability. This is not about a hacker using a specific tool to attack a company, this is about a self-replicating virus that spreads throughout the internet targeting millions of computers. That kind of thing is what keeps me up at night.”