The latest version of ransomware to wreak havoc on businessesand utilities around the globe has several names: Petya, NotPetyaand GoldenEye, but the outcome is still the same — majordisruption.

The virus started its virulent computer attack on June27^th and according to antivirus expert McAfee, businesses in the U.S. Canada, GreatBritain, the Ukraine, China, Brazil and Australia were severelyimpacted. Even Russia reported that a major oil company and asteelmaker were affected.

Companies like U.S. law firm DLA Piper, Danish shipping magnetA.P. Moller-Maersk A/S, a number of Ukrainian banks, an Australianchocolate factory and even the worldwide operations of FedEx Corp.are just some of the entities assessing the damage to theiroperations. At ports around the world, terminal operators had toresort to their back-up plans or manual procedures, which severelyimpacted their ability to accept shipments, but allowed them tokeep running.

More precise than WannaCry

Similar to the WannaCry virus that struck just a few weeks ago, Petya has targeted thousands ofcomputers and demands a $300 ransom paid in Bitcoin. However, thesimilarity ends there. McAfee says that once a computer isinfected, the virus is much more precise in what it infects. WhileWannaCry tried to infect every IP address possible, Petyadetermines whether or not a machine is a workstation or a domaincontroller with access to multiple IP addresses that can beinfected within a network.

According to a UPI report, a cybersecurity researcher believeshe has identified a "vaccine" which will work on Microsoft Windowsoperating systems and should protect individual computers. However,no effective "kill switch" has been identified to keep the virusfrom spreading to other computers.

For insurers it's a huge dose of déjà vu when they haven'trecovered from the effects of the WannaCry ransom attack. Granted,the financial impact of WannaCry wasn't as severe in the U.S., but businesses in othercountries are still dealing with the after affects.

Two weeks ago, a Honda auto manufacturing plant in Japan wasforced to shut down because the virus had infected one of itsproduction facilities. Several days later, the virus affected 55speed cameras in Victoria, Australia, when a contractor accidentlyintroduced the worm into the camera system.

Companies with cyber policies will likely only beresponsible for the deductible and not the actual ransom. (Photo:Shutterstock) 

Claims impacts

In 2016, the Insurance Information Institute found that cyberincidents ranked third in terms of global business risk forinsurers behind business interruption/supply chain risks and marketdevelopment.

Now, insurers are bracing for more claims from anotherransomware attack. "The types of claims insurers are likely to seewill depend upon the insurance issued," explains Joan D'Ambrosio, apartner in Clyde & Co. "For cyber insurers with affectedpolicyholders, there could be first-party expenses associated withretaining forensic experts to assist in determining whether theentity can decline to pay the ransom because there is adequatebackup of the encrypted data."

Coverage triggered regardless of whether or not data isdamaged

Russell Heaton, cyber class underwriter for ArgoGlobal, sayscoverage will be triggered regardless of whether or not any data isdamaged. "Any costs above the deductible will likely be covered,"Heaton says. This may include the forensic evaluation to determinethe extent of the damage, restoration costs, public relations costsand the ransom itself, as well as other first-party expensesassociated with the ransomware attack.

"Counsel also may need to opine regarding whether data wasaccessed or exfiltrated, which could lead to notificationobligations, especially in the healthcare arena," adds D'Ambrosio."In addition, there are likely to be first-party claims forbusiness interruption if the company's systems were down orcompromised for a material length of time, impacting normalbusiness transactions; this is where we expect to see the majorityof the claims arising from this incident. Finally, thereis the possibility of third-party claims by customers or clients ofthe company if the attack caused the company to be unable todeliver required products or services."

The continued number of ransomware and other cyber attackshighlight the importance of carrying cyber insurance. (Photo:Shutterstock)

Insurer risks

The biggest risk for insurers comes from aggregated losses. "Theclaims could be small in number," says Heaton, "but the event isglobal in nature and losses could be aggregated across multiplelines."

D'Ambrosio concurs. "In an increasingly connected world, it isnot difficult to imagine realistic scenarios under which attacks oninterconnected systems, such as infrastructure, could have acatastrophic knock-on effect across many companies and vastgeographic areas at the same time."

Commercial insurers have greatest exposure

While reinsurers may bear some of the aggregated risk,commercial insurers will have the greatest exposure because theyare more likely to underwrite the risk for multiple companies saysHeaton.

Even though insurers offering cyber coverage are well aware ofthe impact from cyber attacks, their continued increase mayencourage providers of non-cyber policies to consider addingcyber-related exclusions.

"Although many non-cyber traditional insurers have contemplatedcyber exclusions, including ISO exclusions, specific cyberexclusions for the most part have not yet become industry standardin many classes of business," explains D'Ambrosio. "Therecent increase in widespread attacks, affecting multipleindustries and geographic locations, certainly may lead to anenvironment where non-cyber insurers increasingly add exclusions tomake certain to avoid possible unintended exposures, frequentlyreferenced as 'silent cyber' exposures."

She adds that these attacks will also "fuel growth in thealready explosive cyber insurance market, where insurers continueto develop the products to best address the emerging riskspresented."

Cyber policies recommended

The increase in ransomware attacks only serves to highlight thecontinued need for all businesses to purchase some measure of cybercoverage. Heaton recommends that small to medium-sized companiesconsider purchasing at least $10 million in cyber coverage and thatlarger businesses consider carrying $100 million or more. "Peopleoften buy general liability and professional liability coverages,which exclude cyber. Any company with a network or online presenceshould buy a cyber policy," he advises.

Related: WannaCry and the dawn of large-scale businessinterruption

Experts advise against paying the ransom since there is noguarantee that the hackers will actually be able to provide the keyto unlock your data. (Photo: Shutterstock)

Ransomware breach?

Experts have some very specific recommendations for companies impactedby a ransomware attack.

"Don't pay the ransom," counsels Steve Ranger,U.K. editor-in-chief for TechRepublic/ZDNet because there are noguarantees that the hackers will be able to decrypt theinformation. "They've already locked up your machine once, don'ttrust them."

Ranger also advises backing up all systems to a second source ofdata that will give the company access to their records. And herecommends making sure all patches are up to date.

Heaton agrees that insurers need to encourage their clients tomake sure they are constantly updating their systems, but saysthere are some challenges. "Larger companies take longer to patchvulnerabilities, since they need to be tested because the systemsare more complex. We have to see what impact it will have on thesystem because it can actually have a negative impact, and thatmakes it more difficult to install."

'Playing catchup with ransomware'

Following a breach, companies should also notify their insurerand their cyber team to begin assessing the extent of thedamage, learn how the attack entered the system, determine whetheror not law enforcement or other government entities need to beadvised, as well as identify how and when to notify customers orclients.

Heaton says that the reality is that "we will always be playingcatchup with ransomware. We need to make sure we have strong IPsecurity and event planning in place. Claims will happen and weneed to address them as best we can. You lock up your othervaluables and it's the exact same principle for cybersecurity."

Related: Humans: The weakest link in social engineering andcyber attacks