With this in mind, insurers are expected to face a set of difficult questions:

What should be the adequate policy wording and linkage between business interruption, network attack and extortion coverages? Take a peril-specific coverage approach to extortion. Currently, damages triggered by an extortion event are covered under multiple insurance agreements that have independent limits, retentions and underwriting. Mapping out extortion scenarios and the probability and exposure profiles unique to each one will result in superior and more predictable coverage.
How can they select good risks over bad risks? Study which extortion scenarios to expect, what the attack vector is, and what correlates with lower probability for that attack vector. Using the MongoDB example, consider testing the version of the applicant's MongoDB, and limit the percent of companies in your portfolio that run on MongoDB. Do the same for all other relevant technologies.
How can they manage the significant increase in aggregation risk? Diversify on technology assets and configurations; not industries. The industry is a proxy for a type of asset (e.g. Healthcare = PHI record), or technology type (e.g. Retail = Point of Sale system), but what really creates aggregation is the underlying specific technology choices.
How quickly can they provide a quality response? It's important to streamline triage and early response, and cut through the bureaucracy of deploying an incident response team. Knowing when paying ransoms will restore systems could be a key to cost savings.

In short, the future is about to get more complex and more technical. And no one is going to figure it out for the insurance company — it's up to them to answer the tough questions.

Special Reports /

WannaCry and the dawn of large-scale business interruption

Related Stories

Recommended For You