The global ransomware based cyber attack that has brought large sections of the UK’s NHS to a standstill should represent a wakeup call to both buyers and sellers of cyber insurance. While the facts of the attack are clearly still to be fully established, the unprecedented nature of the attack means that the extent of any losses that will be picked up by the global cyber insurance market is simply unknown.
Notwithstanding this, the current information that is available raises four key issues.
Firstly, Microsoft released a patch to fix this particular vulnerability in March. However, it appears that a number of companies and users had not implemented this patch, or alternatively are still using older operating systems that are no longer supported by Microsoft, such as Windows XP and Windows Server 2003. This raises a significant concern for cyber insurers. If a company is not upgrading its operating systems to ensure that it is supported by the relevant vendor and also not updating these systems as soon as a security patch is available, then one must really question how seriously senior management consider cyber security as an operational risk. Some, albeit not all, cyber policies include a clause that requires the policyholder to use their best endeavours to ensure that system security is as up to date as possible. However, for those affected by this hack, a delay of at least 2 months from the date of release of this patch may indicate that best endeavours have not occurred. Perhaps the cyber market may wish to consider this as a standard clause across the market so as to drive best industry practice?
Secondly, given the number of industry sectors and businesses that have been impacted by this incident, there is the potential for the cyber insurance market to be facing its first “catastrophe” type loss as a consequence of this event. For several years, the cyber insurance market has been debating catastrophe events and the market’s exposures and, in particular, the impact of a failure at a cloud service provider. While not wishing to downplay the exposure to the market of this specific type of event, the NHS attack does highlight that there are other catastrophe events that the market needs to consider.
Thirdly, it appears that the US National Security Agency (“NSA”) was previously aware of the vulnerability that gave rise to this hack prior to it being leaked on the internet by the hacking group Shadow Brokers in April. It may be the case that security agencies become aware of vulnerabilities that are then used as part of espionage operations. Fair enough – we all want to live in a world where the risk of terrorism, for example, is minimised. However, by not sharing these vulnerabilities with Microsoft, for example, so that they can be fixed, are the security agencies exposing the wider population to a much greater risk of a collapse in sections of our infrastructure, as appears to have happened in this case?
Finally, to say that this hack has crippled the NHS as a consequence of underinvestment in the public sector is to somewhat miss the point. Reports already exist that appear to indicate that the Nissan car plant at Sunderland and the telecoms multinational Telefonica have been impacted by this event. It therefore seems fair to say that there has been a lack of investment and strategic thinking in IT security in both the private and public sectors, highlighting the fact that cyber security is a national, even global, issue.
It will take time for the full facts of this attack to be established, as will the extent of any losses that are picked up by the cyber insurance market. However, what this attack does show is the reliance that society has on a creaking IT infrastructure and the extent of interruption that can occur when this infrastructure fails.