Many companies outside the United States may lack cover for last weekend's WannaCry computer-system attack, leaving them potentially with millions of dollars of losses because there has been relatively little take-up of cyber insurance, reported Reuters citing insurers.
A massive ransomware worm, called WannaCry, caused damage across the globe over the weekend, stopping car factories, hospitals, shops and schools, amid fears it could wreck fresh havoc this week as workers return to their offices yesterday.
Cybersecurity experts said the spread of the virus which locked up more than 200,000 computers in more than 150 countries - had slowed, but the respite might only be brief.
The overall cost of getting businesses going again could run into the billions of dollars, with companies in Europe, including Russia, and Asia particularly vulnerable.
Nearly nine out 10 cyber insurance policies in the world are in the US, according to Mr Kevin Kalinich, global head of Aon's cyber risk practice. The annual premium market stands at US$2.5-$3 billion.
The biggest reason for the larger penetration in the US, said Mr Bob Parisi, US cyber product leader for insurance broker Marsh, "is that the US has been living with state breach notification laws for the past 10 years."
The greater transparency created an incentive for US companies to get insurance to compensate for damage from incidents they were required to report.
Companies that were not prepared for WannaCry can expect to rack up business interruption costs that far exceed a ransomware payment, said Mr Kalinich.
Organisations hit by the attacks, which lock up computer systems until the victims pay a ransom, included Britain's National Health Service, French car manufacturer Renault, and Spain's Telefonica.
West Coast cyber risk modeling firm Cyence estimated the average individual ransom cost from Friday's attacks at US$300, and the total economic costs from interruption to business at US$4 billion.
The US Cyber Consequences Unit, a non-profit research institute that advises governments and businesses on the costs of cyber attacks, estimated more modest total losses. They were likely to range in the hundreds of millions of dollars, and unlikely to exceed US$1 billion, the group forecast.
Demand for cyber insurance to rise
Even before the weekend attacks, demand in Europe was expected to rise after an EU directive is implemented in mid-2018 requiring companies to notify authorities of a data breach.
But insurers are likely to more carefully scrutinise risks they take on as well as how they word policies and exclusions, Mr Kalinich said.
"They will want to pick the companies that are most prepared," he said. Other firms might be eligible for coverage, but more exclusions may apply, he said.