The cyber insurance investigation into the loss potential of the recent ransomware attack on one of the world's largest aluminum producers, Norsk Hydro, has begun. It is likely to generate increased interest in obtaining cyber insurance by manufacturers and other organizations driven by the attention raised by 2017's NotPetya worm. While the cost for the Norsk Hydro "LockerGoga" attack is yet to be calculated in full, we have already seen, as with NotPetya, a dramatic loss of income and intense business disruption.
But can cyber insurance do enough to limit the fallout for the victims of ransomware attacks? If not, how can proactive businesses ensure they are financially protected after a breach?
Calculating the Costs
The effect on the IT and insurance industries from the most recent wave of cybercrime continues to grow as businesses disclose silent cyber impacts, as well as affirmative losses from WannaCry/NotPetya. The latest reports from Property Claim Services (PCS) put the loss from NotPetya at over $3.3 billion, and it's still growing. The Norsk Hydro event is currently being evaluated by PCS to ascertain whether it meets the global cyber event designation, which would require the attack to generate a re/insured loss of at least $20 million. Recent estimates from the company suggest $40 million in losses.
Despite the payouts, for some businesses, reliance on insurance has proven inadequate. Consider US pharmaceutical company Merck. The company disclosed that the NotPetya cyberattacks have cost it as much as $580 million since June 2017, and predicted an additional $200 million in costs by the end of 2018. In contrast, experts estimated their insurance payout would be around $275 million, a huge number but under half of the amount it has incurred so far, let alone any silent costs that may continue to rise.
Other companies have been left even worse off, such as snack food company Mondelez International Inc., which is in a continuing battle with its property insurer, Zurich American Insurance Company. Mondelez filed a claim for the NotPetya attacks under a policy that included "all risks of physical loss or damage," specifying "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."
Zurich disputed the claim, based on a clause that excludes insurance coverage for any "hostile or war-like act by any governmental or sovereign power" after US intelligence officials determined that the NotPetya malware originated as an attack by the Russian military against Ukraine. Zurich is fighting the claim by Mondelez that it is wrongfully denying coverage.
What an Act of War Might Mean for Coverage
As cybercrime continues to rise, cyber insurance has businesses reconsidering their coverage. Organizations faced with a decision to take out coverage need to find space in the budget for monthly costs and potentially large premiums. For this investment to be worthwhile, businesses want to be confident that they will recover their costs if a breach happens. Therefore, selecting the "right" form of coverage becomes critical.
The insurance payouts around the NotPetya cyberattacks, and in particular the Mondelez case, throw this into question. This is especially true considering the rise in cyberattacks that are nation-backed or could plausibly be claimed to be nation-backed by insurance companies in order to dispute a claim. As regulations change and the US military is given more freedom to launch preventative cyberattacks against foreign government hackers, any evidence that suggests governmental or military attribution could be confirmation of an act of cyberwar and be legitimately used against claimants looking to settle their losses.
Will the Fine Print Affect Public Research?
The ripple effect of this could go beyond the claims sector, and, in the long run, have a connected impact on security research, and potentially free press and journalism. Traditionally, researchers have had the freedom to comment and even speculate on the attribution of cyberattacks through information on the attackers' behavior and the attack signatures they use. If insurance companies and claims handlers begin using public research as a reason to deny coverage to victims, research teams could be put in an ethical bind when faced with the realization that the results of their investigative work could exacerbate victims' woes. They may be reluctant to share their findings, due to fear of being pulled into legal proceedings by giving insurers a possible reason to withhold coverage. The net effect might end up reducing the amount of public research and the transparency of the industry overall.
Can Cybersecurity Vendors "Guarantee" Safety?
The issue of what claims to honor extends to financial guarantees from cybersecurity vendors too, not only to insurance handlers. It is becoming increasingly popular for vendors to offer warranties to customers that purchase cybersecurity products, giving real substance to their claims. However, many experts believe that cyber insurance policies have so many loopholes that they negate the benefit of any warranty. We've already addressed exclusion of coverage for the often cited "nation-state or act of God" exception. Other examples include portable devices, insider threats, or intentional acts. Even if you are widely covered for an event, does that extend to all employees? According to the latest Cyber Insurance Buying Guide, "most policies do not adequately provide for both first-party and third-party loss."
The reality for business owners and CISOs looking to protect their business is that cyber insurance is not a catchall for protecting against risk and loss, especially as cybercrime indiscriminately crosses new lines for inflicting damage. As we've seen, the cyber insurance industry is faced with unresolved challenges to ensure protection for victims. And cybersecurity companies making big promises that are ultimately undermined by the small print are neither a guarantee of safety or recourse. Until the industry resolves out some of these issues, it's caveat emptor for businesses purchasing policies and cybersecurity solutions.