Experts believe a real-life Bashe attack could have far-reaching consequences for the future of the cyber insurance market, as Peter Littlejohns finds out from industry experts
Ransomware threats are piling up for businesses and the true cost they could face has been laid out in a hypothetical cyber-attack – with huge repercussions for insurers.
The Cyber Risk Management project – a co-ordinated effort between several universities and insurance companies that created a fake cyber threat known as the Bashe attack – reported earlier this month that a large-scale ransomware attack could cost $193bn (£150bn) and affect more than 600,000 businesses worldwide.
But its revelation that 86% of the total cost – $166bn (£129bn) – would be uninsured should send shockwaves through the cyber insurance sector.
Insurance governance consultant Mactavish’s technical director Rob Smart believes a loss of consumer confidence and withdrawal of insurance capacity could potentially even kill it as a product.
He says: “You could end up with a market where the buyers have lost confidence and the sellers are much less keen to offer capacity.
“Could it then kill a product that can actually be really useful?
“In the long term, you would hope not, but in the short term it could create a serious challenge for people looking to buy or sell cyber insurance.”
What was the Bashe attack?
The 2017 cyber-attacks WannaCry, Petya and NotPetya shocked the world and revealed vulnerabilities present in the IT infrastructure of even multinational corporations.
The recently modelled Bashe attack predicts an even more shocking scenario.
The Cyber Risk Management project, which created it, is led by Singapore’s Nanyang Technological University, and also features the likes of insurance giant Lloyds and the University of Cambridge’s Centre for Risk Studies.
Its report, titled Bashe attack: Global infection by contagious malware, explores a scenario in which companies’ devices are infected with malware that threatens to destroy or block access to files unless a ransom is paid.
As part of this model, the attack is launched through an infected email that, once opened, is forwarded to all contacts and encrypts all data on nearly 30 million devices worldwide within 24 hours.
Companies of all sizes and in all sectors would be forced to pay a ransom to decrypt their data or to replace their infected devices.
Are ransomware threats like the Bashe attack viable scenarios?
According to Israel-based cyber security expert Check Point, the fictitious scenario is entirely possible given the current cyber threat landscape.
Head of threat prevention solutions Eytan Segal says: “It’s plausible because to launch such an attack, criminals don’t even need to do the vulnerability research or ransomware development on their own.
“There is very effective off-the-shelf ransomware which exploits newly-discovered vulnerabilities, and it’s all available to the highest bidder.”
Not all cyber security experts agree with the scale of economic damage predicted by the Bashe attack report.
The report reads: “The disruption of several banking services and some computer system shutdowns causes widespread infrastructure damage and, in more extreme cases, global chaos in financial markets.”
Cyber security expert Alan Calder, the founder and executive chairman of consultancy IT Governance, says: “This implication is not necessarily an obvious outcome from some computer systems being shut down.”
How much do ransomware threats cost insurers?
Cyber insurance is a developing market but one still in its infancy compared to established sectors like property and casualty insurance.
Because of this, Mactavish’s Mr Smart says it’s not yet possible to buy a cyber insurance policy that covers the full risk presented by a large-scale attack like Bashe.
“Businesses aren’t able to buy up to the limit of a catastrophic worst-case scenario like the Bashe attack, because the capacity isn’t available,” he says.
“The level of cyber risk that insurers are writing is not that high, so in reality the majority of costs will still be borne by the companies themselves, not by insurers.”
The study reported there would be an insurance shortfall of 86% in the event that the Bashe attack became reality, but Mr Smart believes even this high figure is conservative.
He adds: “It sounds a bit low because those businesses that do purchase cyber insurance certainly aren’t covered for as much as they think, and businesses aren’t able to buy the limit needed for a worst-case scenario attack like this.”
Confusion over policy wording on cyber extortion could lead to claim disputes
Most cyber insurance policies cover businesses in the case of cyber extortion threats but the lack of clarity in their wording can create a confusing picture.
This confusion can lead to claims disputes, which is why Mr Smart advises businesses to negotiate their cover.
In the case of a ransomware attack, he believes it’s important to ensure that ransomware is included in the policy wording.
He says: “The wording of most policies covers the threat of ransomware, but not a scenario in which you’ve already been infected.
“The much more likely scenario is that you won’t receive a threat, you’ll just be infected and be faced with a ransom message.
“Existing ransomware is not the same as the threat of extortion, and it wouldn’t be covered unless you negotiate your policy.”
In the case of a Bashe-style attack, the large value of the claims made by companies would likely lead to disputes resulting from careful examination of policy wording related to ransomware, among other things.
Mr Smart explains: “Some claims wouldn’t be paid at all because of an exclusion in the wording of a policy.
“The claims that were paid would be negotiated based on the policy wording and ambiguities within it.”
Insurance capacity might not survive a real-life Bashe attack
Large-scale ransomware threats like a cyber-attack are the worst-case scenario for insurers because claims are made in large volumes.
This means the costs that would usually be absorbed by the capacity other premium payers provide can’t always cushion the blow.
Mr Calder compares such an event to a major flood.
“There are questions over whether the cyber insurance sector could handle the full ramifications of a cyber-attack without government support,” he says.
“If there’s a major flood, most insurers can’t handle the cost of it.
“They exclude large chunks of it or the government is forced to step in and handle some of the impact through a range of other actions.”
A large-scale ransomware attack like Bashe could also lead to a loss of confidence in insurance as an investment.
Insurance capacity is key to determining the amount of risk written by insurers and reinsurers, also having a direct impact on the price of premiums and the growth of a sector.
Mr Smart believes that because cyber insurance is a relatively untested product, those taking on risk by providing the capacity for insurers to write policies could be spooked by an attack on this scale.
He says: “You could easily see an event like a large-scale ransomware attack leading to concern over how companies model their aggregation risk.
“It would be unlike any other area of insurance in terms of how quickly capacity would be pulled.”
From the demand side of the market, Mr Smart believes an attack on a smaller scale could just affect the likelihood of companies wanting to buy cyber insurance.
He adds: “It could be a moderately-sized event that has a bigger impact on companies’ propensity to buy cyber insurance than it has on an insurer’s and reinsurer’s level of caution.”