A hack that hit thousands of websites has highlighted the evolving nature of cyber risks and could reveal gaps in the available insurance coverage.
Cyber insurance is still in its infancy, and the available coverage is far short of the exposures. Cyber attacks are estimated to cost $1 trillion a year globally, yet the amount of available coverage amounts to "a few hundred billion dollars," global insurance broker Marsh's president of global risk and digital, John Drzik, said at an event in January.
The product had its origins in the U.S. covering third-party liability for data loss. It has since expanded globally and in scope, but the focus remains heavily on data breach, a trend amplified by the May 25 implementation of the EU's new data privacy regime, the General Data Protection Regulation.
But unlike recent high-profile attacks, such as Petya and WannaCry, the Feb. 11 hack was designed to appropriate computing power to mine cryptocurrency, rather than steal data or demand money from victims, showing that the threat is constantly changing.
"This is just another example of the evolving face of crime in our new digital world," said Graeme Newman, chief innovation officer at London-based specialist cyber and technology underwriting agency CFC Underwriting. "Cyber criminals are constantly looking for new ways to generate money and clearly cryptocurrency is an increasingly valuable commodity. We come across scams like this every single day."
The Feb. 11 hack, which hit more than 4,000 websites, allowed the perpetrators to commandeer the computers of site visitors and set them to work mining a cryptocurrency called Monero. Mining cryptocurrencies involves solving complex mathematical puzzles, which requires large amounts of computing power, and the hack worked by compromising a web-browser plug-in that was common to all the affected sites called Browsealoud, which helps blind or partially sighted visitors to use the websites.
Although the cryptocurrency hack was designed to steal computing power, rather than data or money, such attacks do present a business interruption risk. One of the sites affected was that of the U.K.'s data and privacy regulator, the Information Commissioner's Office, which was taken offline temporarily.
Had the attack taken down thousands of commercial sites, it could have resulted in significant lost revenue and potentially large business interruption claims.
Because most cyber insurance cover is designed to protect against data breaches, these policies may struggle to respond to newer claim types. Tom Draper, technology and cyber practice leader at Arthur J Gallagher International, a division of broking group Arthur J. Gallagher & Co., said that whether a cryptocurrency mining hack would be covered under the policies available would depend on the wording of the individual policy.
"That is an area the insurance industry has not done itself any favors in due to the spread and number of policies and lack of standardization of that type of wording, because of the individual risk tolerances of individual insurers and what they are willing to cover," he said. He added that site downtime and the cost of any forensic analysis to determine what happened would be covered under "most policies."
Lloyd's of London insurer Beazley Plc's international breach response manager, Raf Sanchez, acknowledged that there was a potential business interruption element from such a cryptocurrency mining hack, but he added: "In this case the malware is not attempting to compromise the visitors' machines or extract data from the visitor, which is the normal trigger for malware under a cyber policy, but it is instead trying to steal their computing power to mine currency."
He added: "Most policies started as data breach policies. Most wording is morphing into a more holistic form of coverage. But most of the triggers are still related to data loss and the liabilities arising from data breaches. I think insurers will need to look at the wider implications of [developments such as] the Internet of Things exponentially increasing the number of devices that are addressable on the internet and being able to aggregate attacks hugely.
"It is definitely something insurers need to bear in mind as policy wording becomes wider and moves away from addressing data breach triggers to wider triggers like business interruption and other malicious use of technology."
But not all agree that cyber policies are insufficient to cover emerging risks. CFC's Newman said: "There is a real misnomer that due to the ever changing nature of cyber risk, policies can't keep pace. That is simply not true. If drafted correctly the policy form provides a broad, general trigger (cyber event) and picks up a wide range of losses."
Henry Warner, a cyber broker at London market wholesale broker Ed, added: "Rather than be a negative, this could seen as a good opportunity for the insurance market to innovate and evolve with new and persistent threats. This will give potential purchasers confidence in the product and continue the sustained growth in the market."
If nothing else, the recent cryptocurrency hack will serve as a useful data point for the industry. It could also help persuade more businesses that they, too, need cyber cover.
"This is a great reminder to entities of all sizes, shapes and activities that because you have computers, you are a target. You don't have to have critical information," said Sarah Stephens, a partner at Jardine Lloyd Thompson Group Plc's JLT Specialty.