Companies relying on their business interruption or property insurance policies to cover ransomware attacks and other cyber damages are running the risk of not having coverage during a major attack if insurers are successful in shielding themselves using the ubiquitous "act of war" clause, according to cybersecurity and insurance experts.
Last week, insurers' arguments gained more weight when the US indicted six members of the Russian military for a variety of cyber operations, including the NotPetya wiper attack that disrupted business operations worldwide. Damages from those attacks are at the heart of major lawsuits against insurance companies, including a $1.3 billion legal action brought by pharmaceutical giant Merck against a collection of insurers and a $100 million lawsuit brought by food and beverage conglomerate Mondelez against Zurich Insurance.
In both cases, insurers claim the NotPetya attack represented a hostile act by a sovereign power, preventing any payout.
"The indictment underscores the general principle here that from a practical perspective, insurance is not a get-out-of-jail-free card," says Jason Crabtree, CEO of risk management firm QOMPLX. "It should be considered a supplement to your own financial risk calculations."
The lawsuits also underscore a fundamental problem in insuring companies against unforeseen business interruptions and loss of profits due to modern cyberattacks. Nation-states are often behind such operations. North Korea has bankrolled many financial crimes, Iran favors data-wiping malware, Russia commonly uses former Soviet territories as testbeds for cyberattacks, and the United States took part in the Stuxnet attack, which spread to other computers.
Moreover, large-scale ransomware events are not some probabilistic black-swan incident. Instead, the difference between an insurable single attack and a widespread worm that could represent untenable payouts may be only a few lines of code. In July, financial rating firm AM Best warned that, while standalone premiums had risen in 2019, the total number of claims had doubled, year to year. The firm noted "the frequency and severity of ransomware attacks have escalated, as have data breaches and [ransoming] in the health care industry."
Adding Fuel to the Fire
To some degree, insurers are making the problem worse. In many ransomware attacks, insurers determine that paying the ransom is the least expensive way for their policyholders to recover. Such payouts, however, also keep extortion rackets in business and attacking other companies.
If significant and widespread events become more common, it could have a dramatic impact on the cyber insurance industry, says Chris Kennedy, CISO at AttackIQ, a security-validation firm.
"These black-swan events are very costly, and insurance companies are businesses, too," he says. "If we are going to see more and more of these black-swan events, the question is how can insurance companies afford to underwrite these policies? Just like the beaches in Florida or the flooding in Texas — where you can't get insurance anymore — if ransomware continues to be as rampant as it is, cyber insurers are going to back away from covering the damages."
The impact of NotPetya on shipping giant A.P. Moller Maersk is a prime example of the risk. The company claimed more than $300 million in damages when the NotPetya worm shut down systems across the company's offices. However, the most significant threat to Maersk's business was that the worm infected and seemingly wiped all of the company's 150-plus domain controllers. Without access to those systems, the company would not have have recovered, some argue. Luckily, a power outage in a data center in Ghana meant that the servers were not infected, and the entire company recovered using the data on that server, according to a 2018 story in Wired.
"When you think about catastrophic risk — losing 10, 100, or 1,000 people's credit card data is not a big deal," QOMPLX's Crabtree says. "It is a Maersk event, where — God forbid — had it not been for a chance power outage, we would not have a Maersk. They wouldn't have recovered their network. Realistically, the company would not have recovered at all."
Cyber insurance should not be considered a cybersecurity replacement, he says. Those types of events are exactly why companies should focus on security controls around critical assets and on mitigating critical, low-probability events — the so-called long tails, he says.
Food and beverage firm Mondelez is another example of the dangers of relying on cyber insurance. The company estimates that NotPetya caused more than $100 million in damages, including the permanent loss of function of approximately 1,700 servers and 24,000 laptops, but its insurance firm, Zurich Insurance, refused to pay, citing the "act of war" exclusion.
While Mondelez's property coverage protected against "physical loss or damage to electronic data, programs, or software including physical loss or damage caused by the malicious introduction of a machine code or instruction," according to reports, the act-of-war exclusion trumped those losses.
The policy states:
"This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:
2) (a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power (de jure or de facto); (ii) military, naval, or air force; or (iii) agent or authority of any party specified in I or ii above."
With the US government attributing the attack to a Russian military intelligence group, the clause seemingly would apply. The group, commonly known as Sandworm, BlackEnergy, or Voodoo Bear, is also thought to be responsible for a variety of cyberattacks, including attacks on the Ukrainian power grid in 2015 and 2016.
Yet the denial of coverage also reveals a flaw in many companies' risk management plans: They rely on so-called "silent coverage," where the insurance is not bought specifically for the risk. Already, many insurers are seeking out clauses that may seem to provide silent cyber coverage and eliminating them from property and business-interruption insurance policies.
In the future, companies should expect their insurers to push back, and hard, against paying out for any major cyber event, Crabtree says.
"So if you want coverage from a cyber event, don't count on your normal building policy. Don't count on a general business interruption policy. Explicitly buy cyber coverage," he says. "If you only take away one thing ... if the policy does not start with the word 'cyber,' then you shouldn't count on it being there when you need it."
Instead, companies should seek out affirmative coverage — cyber-specific policies — and create a body of documents that cite potential catastrophic events that the business expects to be covered, says Crabtree.
"Simple wording, affirmative coverage, and, ideally, eliminating some war and terrorism exclusions are all eminently positive ways for making sure that a company that is impacted by a ransomware event or a major breach is getting what it thinks it's buying: help when it needs it, paid quickly without a lot of argument," he says.