Saturday, September 23, 2017

WannaCry hit Asia hard but won’t boost cyber policies

On the face of it, insurers trying to push cyber policies in Asia couldn’t have crafted a better marketing campaign than the WannaCry ransomware attack.

Because the virus exploited older Windows operating systems and those that have not been kept up to date with the latest security patches, it hit pay dirt in Asia, where many businesses and individuals use pirated software that never gets updated. Though it also struck some major targets in Europe, including Britain’s National Health Service, where Windows XP is still in widespread use.

The potential scale of the infection in Asia is off the chart. Consider that around 18% of computers in China are reckoned to run on Windows XP and around 70% of software used in the country is unlicensed, according to The Software Alliance. Piracy is so prevalent that everything from universities to local governments and state-owned companies are vulnerable. The supposedly prestigious Tsinghua University has reported infection, as have China Telecom and Hainan Airlines.

Most countries in the region are similarly exposed, and WannaCry is a serious wake-up call that is helping to sell some buyers on the urgency of cyber policies. “We’ve had calls from clients who have been thinking about cyber insurance for years but want to push the button now,” Sarah Stephens, head of cyber at insurance broker JLT, told the FT.

That makes sense. The WannaCry ransomware demand is just US$300 worth of bitcoins per infected machine, which is clearly a figure that could be covered by insurance. The wisdom of paying out to such cyber criminals is another matter, of course, but in theory the exposure is manageable. Indeed, risk analytics company AIR estimates that the total loss would be less than US$100 million even if the ransom is paid for all infected computers.

“However, a bigger concern from a loss perspective is the business interruption that could result from companies having to shut down their systems, reformat computers and recover their data from backups,” says AIR researcher Eric Dallal. “Estimates of business interruption costs range from US$1 billion to (a highly implausible) US$4 billion.”

But this kind of discussion is largely irrelevant because there’s a Catch-22 situation here. The risk managers speaking to insurers about buying cyber insurance are a different population to those who were actually infected by WannaCry. After all, the easiest and cheapest way to protect against this kind of attack is to use legitimate software and keep it up to date. Companies that haven’t taken such basic steps aren’t about to leap up the ladder and start buying insurance — and who would be willing to insure a network running on pirated software anyway?

Sure, WannaCry might encourage some buyers to finally pull the trigger on an extension they had been considering for years, but it will not drive a new universe of clients into the hands of grateful insurers. It is unlikely even to convince Asian businesses and institutions to switch to licensed software, which would be the necessary first step to becoming potential insurance buyers.

Of course, the arithmetic of anything to do with China is that even a small shift can have a big effect on demand. Insurers will be hoping that this is the case here, but don’t hold your breath.

Share

Related Articles

Partner Content

White Papers

Follow InsuranceAsia News

Print Edition

SUMMER 2017

House of cards

From supply chains to cyber, we discuss emerging risks with a roundtable of Singapore risk managers