Businesses are scrambling to assess their vulnerability to cyber threats in the wake of the global WannaCrypt ransomware attack.
And while insurers are taking the opportunity to spruik their services amid the panic, experts remain divided over the merits of cyber insurance.
How to protect yourself from WannaCrypt
WannaCrypt ransomeware has infected hundreds of thousands of computers worldwide, don't let yours become one of them.
The massive ransomware worm caused damage across the globe, stopping car factories, hospitals, shops and schools, amid fears it could wreak fresh havoc through the week.
Cybersecurity experts said the spread of the virus dubbed WannaCry - "ransomware" which locked up more than 200,000 computers in more than 150 countries - had slowed, but the respite might only be brief.
The overall cost of getting businesses going again could run into the billions of dollars, with companies in Australia, Europe, and Asia particularly vulnerable.
"There are vulnerabilities in all software products. If you don't take the updates, you're going to have a bad day," said Troy Hunt, cyber security researcher.
"Many small and medium Australian businesses are not keeping [their software] up to date, leaving them at risk."
While Mr Hunt is certain of future ransomware events, he is yet to be convinced as to whether insurance is the best approach for businesses.
"It is a bit of a double-edged sword. One quarter of the business insurance brands we work with now offer some sort of cyber liability cover," said Angus Kidman, editor-in-chief at finder.com.au.
"Despite the prevalence of high-profile data breaches and ransomware attacks, the take-up of cyber liability insurance policies is still quite low. Businesses understand the potential threats, but are only just starting to realise that specific cover is available."
"They are also reluctant to spend more money on insurance, especially given that maintaining IT security is already seen by many businesses as a major expense."
Companies that were not prepared for WannaCry can expect to rack up business interruption costs that far exceed a ransomware payment.
Kevin Kalinich
Insurance provider AIG offers a cyber insurance policy on its Australian website titled CyberEdge. It features an optional extra - Cyber/Privacy Extortion - that covers "any ransom payments to third parties required to end an extortion threat".
"Insurance is only part of the puzzle. The cost can be covered but if data is lost then that's where the problem is," said Dr Naveen Chilamkurti, cyber security program coordinator at La Trobe University.
"It's a well known trick/vulnerability. It's just a matter of time before it happens again."
As of Monday afternoon, the attack had netted nearly $US40,000 ($54,000) in bitcoin payments.
Nearly nine out 10 cyber insurance policies in the world are in the United States, according to Kevin Kalinich, global head of Aon Plc's cyber risk practice. The annual premium market stands at $US2.5-$3 billion.
The biggest reason for the larger penetration in the United States, says Bob Parisi, US cyber product leader for insurance broker Marsh, "is that the US has been living with state breach notification laws for the past 10 years".
The greater transparency created an incentive for US companies to get insurance to compensate for damage from incidents they were required to publicly report. An upcoming European Union directive is expected to have the same impact there.
Companies that were not prepared for WannaCry can expect to rack up business interruption costs that far exceed a ransomware payment, said Kalinich.
"If you're a hospital that turned away patients, if you're a global delivery company that can't send package, or a telecom company in Spain, Russia or China, the financial statement impact from the business interruption is much larger than the $300 ransomware," he said.
Organisations hit by the attacks, which lock up computer systems until the victims pay a ransom, including a handful of Australian companies.
The secrecy around the identity of the companies affected in Australia is believed to be in place to avoid an over-reaction by the public.
"A lof of people are panicking because they didn't realise it would be so big. For the government to take these steps shows a lot of caution," said Dr Chilamkurti.
International victims include Britain's National Health Service, French car manufacturer Renault, and Spain's Telefonica.
Sources close to Telefonica said the company had insurance to cover the attacks but it was too soon to estimate the economic impact.
Renault and the NHS did not respond to requests for comment.
West Coast cyber risk modelling firm Cyence estimated the average individual ransom cost from Friday's attacks at $US300 ($405), and the total economic costs from interruption to business at $4 billion.
The US Cyber Consequences Unit, a non-profit research institute that advises governments and businesses on the costs of cyber attacks, estimated more modest total losses. They were likely to range in the hundreds of millions of dollars, and unlikely to exceed US$1 billion, the group forecast.
A typical cyber insurance policy will protect companies against extortion like ransomware attacks, which insurers say have spiked in the past 18 months. It would cover the investigation costs and also pay the ransom, according to Parisi.
But there are caveats. Companies that did not download a Microsoft patch issued in March to protect users from vulnerabilities may be out of luck, since many cyber policies exclude coverage in such an instance.
Companies using pirated software are also unlikely eligible for an insurance payout, Kalinich said.
Most cyber insurance policies cover breaches of up to $US50 million, with much of the losses related to the interruption of the firms' business, Parisi said. Some policies can cover losses for as much as $500-600 million.
Cyber insurance policies also typically cover the cost of notifying those whose data has been breached, hiring a PR agency to address reputational damage and arranging credit monitoring for those affected, as well as potential legal suits.
It is a high-margin business. Insurer Sciemus, for example, has previously said it charges around $100,000 for $10 million in data breach insurance and as much as seven times that to cover attacks causing physical damage.
Other providers include Allianz, AIG, Chubb and Zurich as well as Lloyds' of London insurers such as Beazley and Hiscox.
with Reuters