The Petya ransomware attack, which seems to have begun in the Ukraine, continues to spread around the world. It is affecting companies from Russia, through Europe, North America and Australia.
The ransomware bears a resemblance to the recent ‘WannaCry’ virus and seeks to exploit similar weaknesses in Microsoft XP.
These attacks raise a number of issues for insurers and for insureds alike. For insureds, there will be questions over the adequacy of their insurance cover. The ransom demanded by the attackers, reported to be $300 in bitcoin, is a relatively modest sum and there is no guarantee that payment will release locked systems. Indeed, access to the email account to which victims were asked to send notice of the ransom payment has been blocked. That means the hacker has no way of knowing who paid and experts are advising victims not to make the ransom payments. In the circumstances, the real losses are likely to be in respect of business interruption (either direct or contingent), rectification and reputational damage. It is by no means certain that either specialist cyber cover or general insurance policies will provide protection for losses of this nature.
For insurers, these attacks will again highlight the pressing issue of ‘silent cyber cover’ as a result of which non-specialist policies may have to respond to losses caused by these attacks. Uncertainty over the extent of this cover may make it difficult for insurers to access the extent of their exposure quickly.
For reinsurers, these attacks again flag up the significant aggregation issues that cyber losses can generate with industries all over the world and as diverse as power generation, shipping, energy production, chocolate manufacturing as well as law firms all being affected.
Finally, it is also worth noting that, as with so many of these attacks, the initial penetration of a company’s system is very likely to be a consequence of inadvertent error. This underlines once again the importance of proper staff training and preparation for the inevitable attack.