European, Asian companies short on cyber insurance before ransomware attack
Many companies outside the United States may not have cover for a recent computer-system attack, leaving them potentially with millions of dollars of losses because there has been relatively little take-up of cyber insurance, insurers say.
A massive ransomware worm caused damage across the globe over the weekend, stopping car factories, hospitals, shops and schools, amid fears it could wreck fresh havoc on Monday when employees return to work.
Cybersecurity experts said the spread of the virus dubbed WannaCry – “ransomware” which locked up more than 200,000 computers in more than 150 countries – had slowed, but the respite might only be brief.
The overall cost of getting businesses going again could run into the billions of dollars, with companies in Europe, including Russia, and Asia particularly vulnerable.
Nearly nine out 10 cyber insurance policies in the world are in the United States, according to Kevin Kalinich, global head of Aon Plc’s cyber risk practice. The annual premium market stands at $2.5-$3 billion.
The biggest reason for the larger penetration in the United States, says Bob Parisi, U.S. cyber product leader for insurance broker Marsh, “is that the U.S. has been living with state breach notification laws for the past 10 years.”
The greater transparency created an incentive for U.S. companies to get insurance to compensate for damage from incidents they were required to report. An upcoming European Union directive is expected to have the same impact there.
Companies that were not prepared for WannaCry can expect to rack up business interruption costs that far exceed a ransomware payment, said Kalinich.
“If you’re a hospital that turned away patients, if you’re a global delivery company that can’t send package, or a telecom company in Spain, Russia or China, the financial statement impact from the business interruption is much larger than the $300 ransomware,” he said.