If the business world was previously unaware of the various interdependencies within a global supply chain and their total reliance on computers, then it should be now. The recent WannaCry and Petya/Not Petya attacks caused significant disruption to a number of blue chip companies.
The FedEx distribution network was impacted, resulting in further disruption to their customers, some of whom are still waiting for products to be delivered over a month after the actual attacks occurred. The consumer goods company, Reckitt Benckiser, was also severely impacted in these attacks, with production and deliveries of goods in several countries being disrupted.
The press releases issued by both companies make for interesting reading. FedEx has admitted that the impact on full year results is likely to be “material”, albeit a final estimate of its losses is yet to be published. In addition, it has admitted that this loss is not covered by insurance.
Similar to FedEx, Reckitt Benckiser has not publically advised the extent of the financial loss it has suffered, although press reports indicate that the resulting sales losses could be in the region of £100m. As to insurance, the company has not confirmed if it has coverage for this type of event. Given that it is a publically-listed company and has to disclose price sensitive information, such as a major incident, it seems reasonable to assume that, like FedEx, Reckitt Benckiser is also uninsured.
Given the availability of cyber insurance, it is staggering that companies, particularly those of the size of FedEx and Reckitt Benckiser, have not purchased this cover. It seems, however, that they are not alone.
A recent study conducted by Lloyd’s and Cyence modelled the potential losses from two scenarios: a hack on a cloud service provider and a mass vulnerability attack. The report estimates that, under the cloud service provider hack, only approximately 13% - 17% of losses are covered by insurance, leaving an insurance gap of between $4 billion and $45 billion, depending on the severity of the attack. Losses under the mass vulnerability attack don’t make for better reading – an insurance gap of between $8.9 billion and $26.6 billion, with only 7% of losses covered by insurance.
This type of uninsured loss is likely to have a significant impact on company profitability, which, in turn, will adversely impact dividends and share prices. One thing can then be certain: class actions from disgruntled shareholders will occur, based on the premise that their losses could have been avoided if the company directors had actually bought cyber insurance.
It seems, therefore, that the D&O insurance market could bear the brunt of cyber losses being uninsured. While it is unclear if shareholders would actually win a class action of this type, insurers potentially could incur significant legal costs on behalf of their clients in defending these claims. The significant exposure to insurers’ balance sheets is therefore obvious.
As the risk to D&O insurers would therefore appear to be greater in respect of those companies that don’t buy cyber insurance, it seems reasonable to question what premium insurers would require to offer D&O cover in these circumstances - if, indeed, they are prepared to offer cover at all. The commercial equation therefore seems simple: buy cyber insurance, get D&O at a reasonable price too.
While this could be seen as a crude attempt to increase the take-up in cyber insurance - using a sledgehammer to crack a nut, if you will - the insurance market will only need a few more events such as WannaCry to occur, coupled with the associated D&O claims, before this becomes a reality. Given that cyber insurance is relatively inexpensive, it is to be hoped that this eventuality does not occur. However, do not be surprised if insurers start wielding that sledgehammer...