WannaCry attack: review cyber insurance and crisis plans, Airmic urges

Risk managers should be reviewing their cyber crisis plans in light of last month's global ransomware attack, and use the incident to revisit the cyber insurance market, Airmic has urged.

In advice sent to members in the immediate aftermath of a wave of cyber attacks on Friday 12 May, Airmic's deputy CEO Julia Graham said: "Airmic members are well positioned to take a lead in the co-ordination of a response to a cyber incident across their organisation."

She continued: "As risk managers, you should be asking: are your cyber incident crisis plans up to date and rehearsed, do people know where the plans are and what their roles will be and do all of your people understand what the organisation's policy is for commenting about an incident?"  

Graham noted that while there may be no such thing as a completely satisfactory response to a crisis situation, the cost and reputational damage of a poorly-handled event is often exacerbated by social media in a "sound-bite world". As a result, prior response-planning and communicating these plans to your own people and other stakeholders is essential.

Last month's cyber-attack, using WannaCry malware, affected organisations around the world, including some parts of the NHS in the UK, Germany's rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, US logistics giant FedEx and Russia's interior ministry.

The ransomware - software that blocks access to data until a ransom is paid - was combined with a worm application - a programme that replicates itself in order to spread to other computers. This allowed the infection of one computer to quickly spread across the networks. Fears that the attack would spread further the following week were never realised, but Airmic described the attack as "unprecedented in its scale, indiscriminate in its targets".

Airmic members were provided with advice from the National Cyber Security Centre (NCSC). In particular, the NCSC advises businesses to report ransomeware attacks to Action Fraud and not to pay the ransom demand.

Airmic also advised members to review the options available in the cyber insurance market. According to the association, many of its members are looking at the possibility of transferring cyber risk to the insurance sector, with almost half having already tested such coverage (Transformation of the risk/insurance management profession survey, Airmic, 2017), but uncertainty over the extent and nature of cover available remain.

However, according to Graham, "relevant covers are becoming available from insurers writing cyber insurance and the incident last [month] highlights that the next organisation to be affected by a cyber incident could be yours."

The association noted that typical modules of cover currently available include:

• Privacy and data breach: including forensic investigation costs, legal obligations (e.g. notification and reporting), and costs due to third parties (including potential compensation);
• First party damage and business interruption: including replacement and restoration costs after damage to data, systems and potentially physical property, and loss of profits and additional costs of working following damage;
• Incident response: including support to the organisation following a cyber incident, forensic costs, crisis management support, legal costs, and public relations costs;
• Extortion: including cyber extortion negotiation and ransom costs, cover for restoring data / system access where a ransom is not paid.

Julia Graham, deputy CEO and technical director, Airmic