Five years on: The shadow of WannaCry and NotPetya

RMS’ Matt Harrison examines how the cyber risk landscape has evolved over the past five years…

cyber risk ransomware

Cyber risk is not new, or stationary, it is complex and evolving. But for all its complexity, like most things human, cyber risk follows a cyclical pattern. New risks may emerge, but the vast majority of risks are just old threats re-imagined for a new age.

WannaCry and NotPetya still cast a heavy shadow over us five years on but older readers will agree these are mere shadows compared to the chaos caused by Conficker, Melissa, ILOVEYOU and SQL Slammer in the early 2000s.

This older generation of malware worms was significantly more potent but came at a time when both their recognition and insurable impact were considerably moderated as corporate and business processes were far less digitised – in an age before the evolution of cyber insurance.

From these older-generation threats through to more recent events with WannaCry and NotPetya, what do we know now, what have we learned, and what has changed?

“Ransomware is now a mainstream threat. Across all walks of life, we hear about it, with regularity and fear – it is not some niche risk constrained to the IT security industry”

The threat of systemic malware/ransomware still drives the risk we face. Some worry about cloud outages but compared to the impacts of these attacks this is mainly “observation bias” as it is easy to picture a cloud outage. Compared to malware/ransomware, cloud outages are a second-tier peril.

The good news is the absence of significant malware/ransomware events since WannaCry and NotPetya, but like hurricanes spiralling around the Atlantic without making landfall, we’ve had a selection of headline-grabbing near misses or glancing blows. The last 18 months alone saw SolarWinds, the Microsoft Exchange vulnerability, Kaseya, Blackbaud and, most notably, Log4Shell.

The recent near misses show that when a vulnerability exists it doesn’t mean it will be exploited, or that it is easy to successfully exploit vulnerabilities in a way that can be automated or “wormable”. Threat actors might not want to cause significant amounts of harm, and corporates may urgently mitigate the risk if the threat is so great.

So, what has changed since WannaCry? Ransomware is now a mainstream threat. Across all walks of life, we hear about it, with regularity and fear – it is not some niche risk constrained to the IT security industry. Boards now cite cyber risk as a top concern to invest in and mitigate; it is not the sole concern of the “IT guy”, it is a risk an entire business understands. Training, controls, password management and network segmentation are now everyday terms, and it is not just corporates that have stepped up but wider society too.

The news is not so good on the threat actor side. Rewards have grown alongside their investment and capability, and they have professionalised – criminal groups are well-oiled machines run like proper businesses, while nation states are also pouring in resources to develop their offensive and defensive capability

What can insurers do? The insurance adage “the past is a guide to the future” does not apply for an ever-changing risk – history and stats cannot be used to make meaningful models to quantify tomorrow’s risk.

At RMS we’ve been busy developing the capability to model the “physics” of cyber risk – what makes the risk emerge and what mitigates it. Understanding both the severity of losses and the frequency of events helps navigate the risk landscape.

Matt Harrison is a Director at RMS