Global cyber attacks from ransomware worms like NotPetya and WannaCry have caused insurance companies to sit up and take notice. Countless commercial insurance policyholders have begun to file loss claims, and the totals easily climb into the billions.

As these claims pile up, insurers begin to assemble the full picture of aggregate risk for cyber attacks on a global scale. The results likely won’t look good. In turn, the growing cybersecurity insurance market could soon face some pretty major changes.

“The Wanna-Cry worm is one of the most significant and virulent forms of malware ever seen, and therefore the insurance industry is taking notice,” Pascal Millaire, vice-president and general manager for cyber-insurance at Symantec, explained to eWeek.

The cybersecurity insurance market is fast-growing, with pundits predicting 5 billion in total premiums by the year 2020. Organizations with these policies can file a claim following a data breach or a major ransomware infection like WannaCry, helping them recover losses and remediate the damage. But, as the cybersecurity insurance market matures and the full picture for aggregate risk becomes clear, insurers will no doubt seek out ways to lower their risk in much the same way they once did for health insurance: pre-existing conditions.

By expecting policyholders to patch vulnerabilities in their cybersecurity protections, insurance companies can both reduce the risk for policyholder losses while creating a solid reason to deny certain claims. Companies should prepare themselves for increasingly strict claim exemptions by taking stock of their current cybersecurity training and practices now to execute due diligence and remove as much risk of an infection as possible.

Cyber Security Vulnerabilities That Could Count as “Pre-Existing Conditions”

When looking to mitigate their losses and reduce their overall risk pool, insurers may look to reduce the amount paid out to claims — or deny claims entirely — if one of the following conditions was present:

  • A known vulnerability that was not patched or addressed
  • A system was left unprotected because of an error or omission
  • An employee falls for a phishing attack

Few, if any, of these exemptions, exist now, but those covered by commercial insurance could see them creep into their policies.

“Different policies will respond in different ways on what is covered and what is not,” as Millaire explained. In response, legal departments will need to scrutinize the policy fine print to discover explicit exemptions and reveal their expected level of due diligence.

Addressing Pre-Existing Conditions Through Cyber Security Training and Consulting

There are a number of actions your organization can take to limit your risk of cybersecurity-related losses and promote compliance with possible strict future insurance policy clauses:


If you need assistance with strengthening your company’s protections, then you can entrust the #1 provider of cyber security solutions in Stamford, CT.

Contact U.S. Computer Connection today for cybersecurity consulting, audits, monitoring, employee training and more before your insurance policy changes.