Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/29/2020
10:05 AM
50%
50%

'Act of War' Clause Could Nix Cyber Insurance Payouts

The indictment of six members of the Russian military for the NotPetya ransomware attack places companies on notice that insurance "is not a get-out-of-jail-free card."

Companies relying on their business interruption or property insurance policies to cover ransomware attacks and other cyber damages are running the risk of not having coverage during a major attack if insurers are successful in shielding themselves using the ubiquitous "act of war" clause, according to cybersecurity and insurance experts.

Related Content:

60% of Businesses Plan to Spend More on Cyber Insurance

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Tracking Down the Web Trackers

Last week, insurers' arguments gained more weight when the US indicted six members of the Russian military for a variety of cyber operations, including the NotPetya wiper attack that disrupted business operations worldwide. Damages from those attacks are at the heart of major lawsuits against insurance companies, including a $1.3 billion legal action brought by pharmaceutical giant Merck against a collection of insurers and a $100 million lawsuit brought by food and beverage conglomerate Mondelez against Zurich Insurance.

In both cases, insurers claim the NotPetya attack represented a hostile act by a sovereign power, preventing any payout.

"The indictment underscores the general principle here that from a practical perspective, insurance is not a get-out-of-jail-free card," says Jason Crabtree, CEO of risk management firm QOMPLX. "It should be considered a supplement to your own financial risk calculations."

The lawsuits also underscore a fundamental problem in insuring companies against unforeseen business interruptions and loss of profits due to modern cyberattacks. Nation-states are often behind such operations. North Korea has bankrolled many financial crimes, Iran favors data-wiping malware, Russia commonly uses former Soviet territories as testbeds for cyberattacks, and the United States took part in the Stuxnet attack, which spread to other computers.

Moreover, large-scale ransomware events are not some probabilistic black-swan incident. Instead, the difference between an insurable single attack and a widespread worm that could represent untenable payouts may be only a few lines of code. In July, financial rating firm AM Best warned that, while standalone premiums had risen in 2019, the total number of claims had doubled, year to year. The firm noted "the frequency and severity of ransomware attacks have escalated, as have data breaches and [ransoming] in the health care industry."

Adding Fuel to the Fire
To some degree, insurers are making the problem worse. In many ransomware attacks, insurers determine that paying the ransom is the least expensive way for their policyholders to recover. Such payouts, however, also keep extortion rackets in business and attacking other companies.

If significant and widespread events become more common, it could have a dramatic impact on the cyber insurance industry, says Chris Kennedy, CISO at AttackIQ, a security-validation firm.

"These black-swan events are very costly, and insurance companies are businesses, too," he says. "If we are going to see more and more of these black-swan events, the question is how can insurance companies afford to underwrite these policies? Just like the beaches in Florida or the flooding in Texas — where you can't get insurance anymore — if ransomware continues to be as rampant as it is, cyber insurers are going to back away from covering the damages."

The impact of NotPetya on shipping giant A.P. Moller Maersk is a prime example of the risk. The company claimed more than $300 million in damages when the NotPetya worm shut down systems across the company's offices. However, the most significant threat to Maersk's business was that the worm infected and seemingly wiped all of the company's 150-plus domain controllers. Without access to those systems, the company would not have have recovered, some argue. Luckily, a power outage in a data center in Ghana meant that the servers were not infected, and the entire company recovered using the data on that server, according to a 2018 story in Wired.

"When you think about catastrophic risk — losing 10, 100, or 1,000 people's credit card data is not a big deal," QOMPLX's Crabtree says. "It is a Maersk event, where — God forbid — had it not been for a chance power outage, we would not have a Maersk. They wouldn't have recovered their network. Realistically, the company would not have recovered at all."

Cyber insurance should not be considered a cybersecurity replacement, he says. Those types of events are exactly why companies should focus on security controls around critical assets and on mitigating critical, low-probability events — the so-called long tails, he says.

'Silent Coverage'
Food and beverage firm Mondelez is another example of the dangers of relying on cyber insurance. The company estimates that NotPetya caused more than $100 million in damages, including the permanent loss of function of approximately 1,700 servers and 24,000 laptops, but its insurance firm, Zurich Insurance, refused to pay, citing the "act of war" exclusion.

While Mondelez's property coverage protected against "physical loss or damage to electronic data, programs, or software including physical loss or damage caused by the malicious introduction of a machine code or instruction," according to reports, the act-of-war exclusion trumped those losses.

The policy states:

"This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:

2) (a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power (de jure or de facto); (ii) military, naval, or air force; or (iii) agent or authority of any party specified in I or ii above."

With the US government attributing the attack to a Russian military intelligence group, the clause seemingly would apply. The group, commonly known as Sandworm, BlackEnergy, or Voodoo Bear, is also thought to be responsible for a variety of cyberattacks, including attacks on the Ukrainian power grid in 2015 and 2016.

Yet the denial of coverage also reveals a flaw in many companies' risk management plans: They rely on so-called "silent coverage," where the insurance is not bought specifically for the risk. Already, many insurers are seeking out clauses that may seem to provide silent cyber coverage and eliminating them from property and business-interruption insurance policies.

In the future, companies should expect their insurers to push back, and hard, against paying out for any major cyber event, Crabtree says.

"So if you want coverage from a cyber event, don't count on your normal building policy. Don't count on a general business interruption policy. Explicitly buy cyber coverage," he says. "If you only take away one thing ... if the policy does not start with the word 'cyber,' then you shouldn't count on it being there when you need it."

Instead, companies should seek out affirmative coverage — cyber-specific policies — and create a body of documents that cite potential catastrophic events that the business expects to be covered, says Crabtree.

"Simple wording, affirmative coverage, and, ideally, eliminating some war and terrorism exclusions are all eminently positive ways for making sure that a company that is impacted by a ransomware event or a major breach is getting what it thinks it's buying: help when it needs it, paid quickly without a lot of argument," he says.  

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mcavanaugh1
50%
50%
mcavanaugh1,
User Rank: Moderator
10/29/2020 | 4:35:07 PM
Re: Well Written Article Explaining Insurance Coverage Evasions
This article is not about a Cyber Insurance policy that did not pay a claim. The focus is on the buyers that believe they can file a Cyber claim under another policy (mostly Property or Business Interruption) and be afforded coverage. It would be like filing a claim under your Homeowner's Insurance policy for damage to your car after a car accident. The insurance company is going to decline.

Many Insurance Agents & Brokers are not educated on why you should not expect coverage for a Cyber event under a Property policy.  They feel that servers & computers are considered property so any damage, regardless of the proximate cause, should be covered under the property policy. This is not going to be the case outside of specialized forms or those endorsed to provide affirmative coverage for Cyber events.

In reality, 90% of Cyber claims filed under standalone Cyber Insurance policies are covered by the carrier.  That is specific to standalone policies providing affirmative coverage as opposed to an endorsement on another policy.  You should absolutely work with an Agent or Broker that understands the coverage or make sure that they are working with a wholesaler or carrier that does.

Understanding the Cyber Insurance policy requires a knowledge of the exposure (not just the application) and the policy language which is not always the case for attorneys so the combination of an educated agent and an attorney is not a bad idea.  Also, if there are any questions and the attorney or agent cannot answer get on the phone with the underwriter who better be able to answer the questions.  If that is not possible you might want to try another carrier, agent, or broker.
Richard F.
50%
50%
Richard F.,
User Rank: Apprentice
10/29/2020 | 2:01:50 PM
Well Written Article Explaining Insurance Coverage Evasions
This is a very useful and informative article explaining to the intelligent non-specialist one of the many evasions and traps used by some cyber insurance companies to avoid paying legitimate claims.

Unfortunately, many cyber insurance policies contain other layers of obnoxious surprises. Arbitration provisions, my area of expertise, and inclusion of "foreign" law are but a few of the many other devices also used by some insurance companies. 

Large companies can, and should negotiate EVERY component of coverage and EVERY endorsement excluding or limiting coverage.

 Smaller companies must rely on astute policyholder only insurance coverage attorneys.  Insurance brokers are important, but all purchasers have to remember that "their" insurance brokers must always maintain and preserve their relationships with the insurance companies to stay in business. Policyholder only insurance coverage attorneys can not, and do not, have those divided loyalties.  

It all can be summarized as "RFP." Read the Fine Print & Read the Full Policy!!  

Buyers beware!!!!

 

   
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26250
PUBLISHED: 2020-12-01
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by ...
CVE-2020-28576
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.
CVE-2020-28577
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.
CVE-2020-28582
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.
CVE-2020-28583
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.