With the swirl of coverage of the WannaCry ransomware "epidemic," you might expect an avalanche of claims on cyber insurance policies in the past few weeks.
In fact, CyberScout has seen no more ransomware related claims activity from our U.S. and Canadian operations center than usual.
For those of us who work these situations day in and day out, this is not surprising, and neither is the fact that the countries and areas hit hardest by WannaCry were not the U.S. or Canada.
While many media outlets theorized that North America dodged this bullet due to the quick actions of a U.K. researcher who effectively found the kill switch, the reality is more nuanced. Here's why…
No. 3: Updated systems
The main reason that the U.S. and Canada were not hit as hard as many other countries comes down to lower rates of pirated and out of date Microsoft operating systems. When system software is pirated (illegally copied) or no longer supported or patched, it creates a system wide vulnerability since the user cannot stay current with software updates that protect against malware. While the U.S. does have a high incidence of software piracy, Microsoft OS piracy is relatively low compared to Russia or China. In addition, with the exception of government and some corporate legacy systems, many U.S. businesses have phased out Windows XP because Microsoft no longer supports it.
If you were to take a map of the countries that pirated Microsoft software most heavily over the last ten years and overlaid it with the countries still relying on unsupported Windows XP, you would end up with the hardest hit countries in the WannaCry ransomware outbreak, which included Russia, Ukraine, India, Taiwan, China, Romania, Egypt, Iran, Brazil, Spain and Italy.
The chief takeaway for insurers and organizations: Buy and run software that is supported by the vendor.
Continue on…
Countries with the most pirated Microsoft software also were the hardest hit by WannaCry. (Photo: iStock)
No. 2: Less than expected claims activity
As cyber insurance comes more to the forefront, we see that regions with higher concentrations of insurance adoption tend to have risk-averse cultures. However, good insurance underwriting in these regions also helps drive behavior. In order to qualify for comprehensive cyber coverage that addresses data ransom attacks and business interruption, organizations have to pass muster. Typically, the insured organization must be running legally purchased and licensed software, they must have a patch management system, antivirus, firewall, monitoring and log management, and so forth. Even small businesses must demonstrate good, up- to-date and documented practices and procedures around IT infrastructure and infosec.
At the same time, the mere fact that an organization has taken the step to purchase cyber insurance implies that they are more likely to have systems that are modern, patched and continually maintained. They will probably have good data backup and management, as well as proper IT management and staffing, whether internal or outsourced. The simple fact that underwriters accept an organization means that it is at least staying with the pack regarding basic IT protection. With this profile, most cyber policyholders are less likely to suffer losses from a ransomware attack like WannaCry, reminding us that preparation is the best defense against ransomware.
No. 1: More bark than bite
The most interesting part of WannaCry was just how quickly it spread, earning a reputation as the first global ransomware pandemic. As far as viruses go, it was nothing new, and its intent was not to corrupt systems or data, but instead to extort money through encrypting data. Or so it seemed, at first, until analysts determined that the hackers did not reap high ransoms. Now some experts have suggested that the perpetrators from North Korea were aiming to cause havoc. If this attribution is made with enough certainty, most carriers will avoid paying on their policies since acts by terrorists, by governments or due to war are typically excluded.
As far as scale goes, the latest count estimates 300,000 infected computers. Even by the most conservative of estimates, this would mean that only 0.03% of Windows-based PCs were affected globally. A future malware attack could have the potential to reach a far bigger population.
What to expect moving forward
The most worrisome aspect of this malware attack was how quickly it spread and the pandemic nature of the attack. While the industry dodged a bullet this time, we cannot ignore the serious fact that backdoor tools that were in the U.S. government's possession were released into the wild, and they are still out there. The proof of concept for a global malware pandemic has now taken place, and we should be prepared for more frequent and potentially more destructive attacks using these tools.
The WannaCry ransomware variant has already changed and hackers will morph it further, so next time we may see some real losses. In any event, it's likely we will see this infection impacting systems for years to come.
Eduard Goodman is chief privacy officer at CyberScout (formerly IDT911). He can be reached via email at egoodman@cyberscout.com.
See also:
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.