We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Research and Briefings

Claims and Cleanup Information for WannaCry Ransomware Cyber-Attack


The ransomware cyber-attack that hit hospitals, government agencies, and tens of thousands of computers on 12 May was unprecedented in how quickly and widely it has spread.

If your organisation has been impacted directly or indirectly through a customer or supplier, you should act quickly to contain the outbreak and collect information you may need to file a claim.

In the critical period after a cyber breach, businesses should:

  • Stop the damage. Follow the guidance from the Government’s National Cyber Security Centre. If you have not been able to contain the outbreak — or you are not sure whether you have contained it — you may need to contact a technology vendor. A cyber insurance policy may cover this expense, but it might require prior approval.
  • Manage the initial response. Communicate the issue within your organisation to stem the spread of the attack and assist in tracking your cyber response team’s claim-related activity.
  • Document the timeline of events. Tracking what occurred from the time of the breach through full recovery will assist in estimating the “period of recovery” for the loss.
  • Establish a protocol for identifying and properly categorising claim-related costs. This will facilitate potential recovery against relevant insurance policies.
  • Provide analysis. Catalogue all business interruption, extra expense, or other financial impacts, even those not easily captured.

Marsh Risk Consulting has teams specialising in cybersecurity, forensic accounting and claims, and reputational risk and crisis management.

If you need help with any of these steps please contact peter.a.johnson@marsh.com or contact our Marsh Risk Consulting team mrc-uk@marsh.com and we will get back to you as soon as possible.