WannaCry Brings New Focus on Cyber Insurance and Privacy Impact Assessments


By: Jonathan M. Romvary

In the wake of last week’s WannaCry ransomware attack that crippled nearly 200,000 computers across 150 nations, businesses around the world must reassess how they can protect themselves from the seemingly inevitable cyber-attack. According to the 2017 Verizon Data Breach Investigations Report, ransomware continues to be one of the most popular attacks used by criminals due to its availability and ease of use.

It is reported that nearly nine out of ten cyber insurance policies are issued in the United States. The reason for the overwhelming adoption of policies within the United States market can be traced to adoption of federal statutes and regulations governing online privacy and well established state data breach statutes imposing regulatory penalties and private causes of action. The European Union, until the recent adoption of the General Data Protection Regulation (GDPR), simply did not provide its businesses with the same quantifiable incentive. Whether as a result of the WannaCry ransomware attack, or in anticipation of the implementation of the GDPR, you can expect to see a surge in demand from European companies

But insurance is only a part of the solution as there are many instances where the insurance coverage explicitly excludes certain situations. These can include where companies have failed to download a software patch to protect users from known vulnerabilities, where employees using pirated software are the entry point for the virus into the system, or even where there is a claim for business interruption. However, if data is truly lost because it has been destroyed or completely removed from the system, no amount of insurance will be able to recover it.

So how do businesses protect themselves from such a crippling attack? As they say in sports, the best defense is a good offense. The easiest way to protect yourself is by updating your computer to include the most recent security patches that are offered by the manufacturer or developers. But remember, staying secure against ransomware isn’t just about having the latest security solutions. Good IT security practices including regular training for employees and data and privacy policies drafted by your attorneys, are essential to reduce the risk of an attack. Businesses should also perform a privacy and privacy impact assessments of their computer systems to identify and address any potential weaknesses. Make sure that whoever is performing the assessment, whether your CIO, IT, or attorney, is utilizing privacy frameworks accepted by your industry’s ISO or other accepted framework. Some good examples include the APEC Privacy Framework, the OECD Privacy Framework, or the FTC’s report, Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policy Makers.

Remember, the Cyber, Data Security, and Privacy practice group attorneys are here to assist you in any way. Please contact Jonathan Romvary at [email protected] if you have any questions regarding how your business can perform an assessment of its system to further protect against unwanted cyber attacks.