The Travelers Companies, Inc. is publicizing the prospect of computer breaches and other attacks against companies that failed to upgrade or replace Microsoft's Windows 7 and Windows Server 2008 when the operating systems reached their end of life Jan. 14.
Ken Morrison, director of cyber risk control at the New York- and Hartford, Conn.-based property and casualty insurer, said the operating systems "hit the end of the support road."
Patches will not be available unless users spend more money and the operating systems will no longer be updated. "It's even more of a target for the bad guys because they know the vulnerabilities will not be fixed," Morrison said.
While an upgrade to an operating system is a solution, it could be too costly for businesses such as manufacturers that run numerous machines based on a Microsoft operating system, he said. Travelers told agents, brokers and customers about the approaching "end of life date."
"Theoretically, a lot of people have been addressing this for a long time," Morrison said.
Travelers sells cyberinsurance policies that can help protect a business from losses such as costs to respond to a data breach, money stolen in computer fraud, lost income and other problems related to computer systems or data.
A cyberinsurance policy also can help protect against third-party risks, such as lawsuits or regulatory fines and penalties following a data breach. And cyberinsurance policies may also provide "prebreach services" to help businesses avoid a cyber incident, such as cybersecurity assessments and employee awareness training.
In an emailed statement, Microsoft said it committed to provide 10 years of product support for Windows 7 when it was released in October 2009.
"This 10-year period has now ended and Microsoft has discontinued Windows 7 support so that we can focus our investment on supporting newer technologies and great new experiences," the company said.
It said it began notifying customers earlier last year and also has online resources to detail more about what end of support means and more information on Windows 10.
Microsoft recommends users upgrade to Windows 10 at their earliest convenience to avoid becoming vulnerable to security risks and viruses.
Arthur House, Connecticut's former cybersecurity chief, said extensive international virus outbreaks in the past "ironically hit older Microsoft systems and those who stole Microsoft systems and did not have a patch."
"People don't engage in proactive maintenance, which they should," he said.
Smaller companies such as law firms and real estate businesses may not have IT offices that can prepare for operating system transitions, House said.
"If you're a large insurance company in Connecticut you have someone in touch with Microsoft all the time," he said. "It's the one that's not in touch with Microsoft. They're the ones you worry about."
Problems, such as copying data and threatening to expose sensitive information, have not yet emerged, but "increased attention of bad guys" will eventually become evident, House said.
Smaller companies are particularly vulnerable, "and cybercriminals know it," said the Insurance Information Institute and J.D. Power in a 2019 survey of 500 business leaders. Larger enterprises can devote more attention and resources to security and employee training, while smaller firms and high-net-worth individuals are lower-risk targets for criminals.
The survey found 42% of companies did not purchase cyberinsurance coverage, citing the high cost. In addition, 35% believe their risk profile does not require them to have cyberinsurance while other companies reported they were allocating internal resources to combat cyberattacks.
And some companies surveyed said cyberinsurance policy exclusions keep them from buying a policy.
The survey found 12% of businesses responding to the survey experienced at least one cyber incident in the past year, up from 10% in 2018. And nearly 71% said they are "very concerned" about cyber incidents, up from 59% in 2018.
