Firms are beginning to look explicitly at damages to IT systems rather than just loss of personal information after WannaCry and NotPetya sunk potentially billions of dollars.
Danish insurance firm Tryg, which serves the Scandinavian market, has sold 5,000 cyber insurance polices this year. It began offering a cyber policy in January, selling 700 in the first quarter and 2,800 the second quarter on the heels of WannaCry.
Tryg’s CEO Morten Hubbe told Reuters today that cyber insurance would be as common as building and vehicle insurance within a few years. He estimated half of its corporate clients would buy it by 2020, and expects it will be the norm a few years after that. It is the largest insurance firm in Denmark.
Tryg saw a surge in cyber insurance uptake after the WannaCry malware attack in May, which affected 300,000 in 150 countries. Victims included Telefonica in Spain and dozens of UK NHS organisations.
A month later, the NotPetya attack struck several global corporations through an update delivered to Ukraine branches that used an accounting package from a local software vendor MEDocs.
Though WannaCry and NotPetya were initially categorized as ransomware, neither attacks raised significant revenues for the perpetrators, suggesting they were not financially motivated.
Nonetheless, the attacks cost victims a tremendous amount through lost revenues and recovery efforts. Danish shipping giant Maersk lost between $200m to $300m to NotPetya, while US parcel delivery firm, FedEx, lost $300m to the malware through its TNT Express business in Europe. US drug maker Merck, and confectionary giant, Mondelēz, also reported significant losses due to disruptions to sales and production.
FedEx last month said it was now considering a cyber insurance policy after the NotPetya attack. The company opted against a policy after a previously finding the market wasn’t mature enough. However, that assessment focussed on risks linked to the exposure of personal information rather than cost of non-operational IT systems.
The US Department of Homeland Security (DHS) has also acknowledged that the cyber insurance market hasn’t been mature enough for mainstream adoption.
It is collecting data on incidents that influence the cyber insurance market through the Cyber Incident Data and Analysis Repository or CIDAR project. Until recently, the database has been dominated by fictional incidents and lacked sufficient data on real incidents to be worthy of sharing with the insurance industry.