Ransomware strikes again

January 10 2020 by Nick Ferguson

One of the takeaways from the January renewal season was that ransomware losses are starting to hurt the profitability of cyber as a class of business, even though abundant reinsurance capacity has managed to keep a lid on rates.

In the latest example, foreign-exchange company Travelex has been taken offline after hackers encrypted its computer systems with the Sodinokibi ransomware. Cashiers at the company’s familiar desks in airports across Asia and the world are keeping in-store operations ticking over by changing money with calculators and keeping a manual tally, but the entire digital side of its business has been down since New Year’s Eve.

Some cyber security specialists have speculated that the hackers exploited a vulnerability that could have been patched in April last year.

The attack has left the company unable to process online transactions or provide its usual services to clients such as banks, supermarkets, travel agencies, hotels and casinos. This part of the business turned over £184 million (US$240 million) in 2018 — or roughly £500,000 (US$653,000) a day.

Cover
Travelex reportedly has cyber insurance, but with that amount of lost business it will likely not have enough. Even the ransom demand of US$6 million may be beyond the typical cyber policy limit of a company the size of Travelex, which has total revenues of roughly US$1 billion.

For example, Marriott reportedly had US$150 million of cover at Lloyd’s when it revealed a substantial data breach in 2018, but even that extraordinary amount of protection represented less than three days of revenue.

It is also possible that the hackers, who are said to have had access to the company’s systems for several months, might know how much insurance the company has and are pitching their ransom demand accordingly.

On top of lost business and the potential ransom payment, Travelex may also incur a substantial fine under Europe’s data protection rules.

Some cyber security specialists have speculated that the hackers exploited a vulnerability that could have been patched in April last year. Regulators will take a dim view of the lapse if true, and the experience of British Airways last year demonstrates that they are not afraid to impose steep penalties in those circumstances.

Whether such fines should be covered under cyber policies has been a matter of debate, but Travelex would be facing an eye-watering US$15 million penalty if it were to be stung at the same rate as BA. However, the law allows a fine of up to 4% of global annual turnover, which could be up to US$40 million.

Many insurers have since moved to explicitly exclude such cyber exposures from a wide range of lines, including property, terrorism, crime, kidnap and ransom, and general liability.

At either end of the scale, it is probably irrelevant whether the company’s insurance covers such fines. Its insurance will have long since run out.

Resilience
The lesson from most cyber attacks is that resilience is the best form of defence. Data security specialist Secureworks argues that the best way to limit the damage from ransomware is to employ what it calls a 3-2-1 backup strategy, which means keeping three copies of any important files — one primary copy, one on-site backup and one remote backup. Even then, recovering from a serious incident can take months.

Risk managers are increasingly being empowered to mitigate and transfer cyber risks, particularly in the wake of Equifax’s credit outlook downgrade by Moody’s last year, which was the first time one of the big rating agencies cited cyber as a named factor in an outlook change.

That incident has certainly helped to escalate cyber security to a board-level concern, where many industry specialists have long argued it belongs, but there is evidently no shortage of vulnerable IT systems for hackers to exploit, even in advanced markets.

Ransomware
The growing threat from ransomware has worried insurers since the NotPetya attack in 2017, when several companies successfully managed to claim under property policies, prompting fears that insurers were exposed to a massive “silent cyber” risk.

Many insurers have since moved to explicitly exclude such cyber exposures from a wide range of lines, including property, terrorism, crime, kidnap and ransom, and general liability.

Such measures, along with growing awareness of the risks, will fuel double-digit growth of premiums in the cyber market during the next three to five years, according to analysts at Goldman Sachs.

However, most of that growth will be in the US and to a lesser extent Europe, with Asia lagging behind. To date, hackers have focused their efforts on high-value targets in advanced economies, but as companies in those markets harden their systems there is a risk that lax standards and regulations in Asia could focus attention here.

MORE FROM: Insights