No matter what business you’re in, ransomware, viruses and other malware are perhaps the biggest threat to your business. Just last year, we saw WannaCry infect enterprises in more than 150 countries. According to Trend Micro’s 2017 Annual Security Roundup, the estimated global financial and economic losses for that one attack alone cost about $4 billion.
And the future remains bleak. Cybersecurity Ventures predicts ransomware damages will climb to $11.5 billion in 2019. These damages include things like loss of data, downtime and lost productivity, forensic investigations, security consultants, removing ransomware from infected devices, employee training and even business issues like litigation and harm to the company’s brand. Keep in mind that as recently as 2015, ransomware attacks only cost businesses $325 million, so we’re talking about a very new, very serious threat to your enterprise.
While the question is usually, “What should you do about it?”, there’s another question you should keep in mind: “Who’s going to pay for it?”
For many enterprises, the answer is their insurance company. Many enterprises have already looked to recoup their losses using their conventional crime insurance or their kidnap & ransom policies. But as ransomware becomes more prevalent, the insurance industry has responded by limiting what those policies cover in terms of a ransomware event. Instead, they’ve developed specific cyber insurance to cover cyber crimes.
When it comes to cyber insurance, ransomware is driving both its adoption and its costs. According to CFC Underwriting, ransomware accounted for just over 10% of insurance claims in 2016, while in 2017 ransomware accounted for almost a quarter of all claims. As a result, premiums are already beginning to climb.
As ransomware has sharply increased, the insurance industry is taking a closer look at the risk they assume and what they will be responsible for after an attack. Many policies cover not just incident response, but other things like public relations, legal fees and business interruption.
All it would take is another serious event like WannaCry to expose the insurance industry to billions of dollars in payouts around the world. As such, cyber insurance providers are evaluating the damage from WannaCry and adjusting their eligibility requirements, premiums and security requirements to reflect their increased understanding of the risk involved.
Let’s look at WannaCry again. What many people don’t realize is that a patch for the vulnerability that WannaCry exploited was available 59 days prior to the attack. Companies had nearly two months to apply patches that would have protected them. That entire $4 billion dollar loss could have been prevented if everyone had just kept up with their patches.
If you think the insurance industry didn’t notice, think again. Insurance policies are going to become much more strict when it comes to patching. If your company is hit by an attack that a patch could have prevented, you can expect your insurance provider to fight tooth and nail to avoid paying out claims.
With Windows 10, patching is going to take on an even bigger role. The OS will require monthly updates in excess of 300MB and semi-annual updates in the 4GB range, which can choke an enterprise network if deployed all at once. As a result, network administrators may try to slowly roll out updates across their enterprise. However, should an attack hit in the meantime, there’s a good chance the insurance company will refuse to pay out the claim.
Because of both the risk of attacks and the risk of not being covered, network administrators should look to peering software to increase the velocity of patch distribution throughout their entire network. Not only is it a smart idea; it might soon be an insurance requirement.