Cyberinsurance and Acts of War

I had not heard about this case before. Zurich Insurance has refused to pay Mondelez International's claim of $100 million in damages from NotPetya. It claims it is an act of war and therefor not covered. Mondelez is suing.

Those turning to cyber insurance to manage their exposure presently face significant uncertainties about its promise. First, the scope of cyber risks vastly exceeds available coverage, as cyber perils cut across most areas of commercial insurance in an unprecedented manner: direct losses to policyholders and third-party claims (clients, customers, etc.); financial, physical and IP damages; business interruption, and so on. Yet no cyber insurance policies cover this entire spectrum. Second, the scope of cyber-risk coverage under existing policies, whether traditional general liability or property policies or cyber-specific policies, is rarely comprehensive (to cover all possible cyber perils) and often unclear (i.e., it does not explicitly pertain to all manifestations of cyber perils, or it explicitly excludes some).

But it is in the public interest for Zurich and its peers to expand their role in managing cyber risk. In its ideal state, a mature cyber insurance market could go beyond simply absorbing some of the damage of cyberattacks and play a more fundamental role in engineering and managing cyber risk. It would allow analysis of data across industries to understand risk factors and develop common metrics and scalable solutions. It would allow researchers to pinpoint sources of aggregation risk, such as weak spots in widely relied-upon software and hardware platforms and services. Through its financial levers, the insurance industry can turn these insights into action, shaping private-sector behavior and promoting best practices internationally. Such systematic efforts to improve and incentivize cyber-risk management would redress the conditions that made NotPetya possible in the first place. This, in turn, would diminish the onus on governments to retaliate against attacks.

Posted on February 13, 2019 at 6:32 AM • 24 Comments

Comments

PeterFebruary 13, 2019 6:59 AM

What is important here is the fact that Zurich CLAIMS Notpetya is an act of war. Which means by common law Zurich will first have to prove this in order to refuse payment.
Good luck to them, as no one as yet has been able to prove that Notpetya was a Russian or Korean 'attack'.
So if Zurich can not prove this they will still have to pay the client.

TomFebruary 13, 2019 7:03 AM

What's important here is that Mondelez International is not trying to claim on a cyber insurance policy.

They did not take out specialist cyber insurance, they relied on terms within their existing business continuance insurance.

Impossibly StupidFebruary 13, 2019 9:42 AM

What's really important here is that a lot of people still seem to wrongly think that insurance is an appropriate mechanism to handle common and predictable events. Or, put another way, how screwed up is the leadership in technology industries when they can't figure out for themselves that running Windows is fundamentally insecure? No sane insurance company would cover those systems; it's not even a question of "risk".

IanFebruary 13, 2019 9:56 AM

All insurance companies cover organizations that use Windows systems. Windows is no more fundamentally insecure than any other operating system and its been that way for a long time.

Denton ScratchFebruary 13, 2019 10:05 AM

I am not aware of an insurance company ever investing it's capital in locksmiths, security companies and computer security firms. I imagine it must have happened, but it doesn't seem to be a frequent event. That would be like a tobacco manufacturer investing in drugs to help you quit smoking (hint: varenicline, aka Champix; it worked for me).

Peter GalbavyFebruary 13, 2019 10:41 AM

@Denton

I thought that's what the original point of the US UL (Underwrites Labs?) was - not a direct investment, but a regulator to approve products that the industry accepted as insurable. We don't have anything like that for tech right now.

Matt from CTFebruary 13, 2019 10:51 AM

>I am not aware of an insurance company ever investing it's capital in locksmiths, security companies and computer security firms.

Factory Mutual and Hartford Steam Boiler are two companies that immediately spring to mind which have a long history of active loss control programs.

https://en.wikipedia.org/wiki/FM_Global
https://en.wikipedia.org/wiki/Hartford_Steam_Boiler_Inspection_and_Insurance_Company

While not nearly as actively involved as the above in loss prevention, in scope the National Board of Fire Underwriters and regional affiliates (which later became ISO) had a much broader scope in putting financial incentives behind community fire protection standards. It's Classification System evaluated items like hydrant systems, fire department equipment and staffing levels, etc. and put financial consequences on those -- the lower your community's rating, the higher the fire insurance rates from any insurance company would be.

https://www.insuranceopedia.com/definition/3060/national-board-of-fire-underwriters

justinacolmenaFebruary 13, 2019 1:06 PM

I used to work in that general industry.

Insurance companies sell structured annuity products and term life insurance with heavy fees and premiums all around.

Contracts on a person's life generally create an incentive on one part or the other toward murder for hire.

I advise against excessive auto liability coverage limits for the same reason: professionally arranged crashes, claimed as accidents.

When fire insurance indemnity exceeds about 80% of equivalent value or rebuilding costs, the moral hazard of the insured's financial complicity in arson is too high. When you own a building, you need skin in the game when it comes to fire.

When I have too much health insurance coverage, other powerful establishment parties have a financial interest in making me sick or keeping me sick. Doctors let too much blood on a continual basis with their medicinal leeches.

The whole insurance industry has reached the point of moral catastrophe and fallen to serious organized crime and a liability-paranoid butt-covering corporate culture.

We cannot depend on financial insurance or indemnity for our continued health, life, and safety.

Petre Peter February 13, 2019 4:16 PM

This looks more like a case of cyber-terrorism since there was no declaration of war.

FaustusFebruary 13, 2019 4:21 PM

@ Justinacolmena

You say you were involved in the industry. Are these major industry concerns or your personal perspective?

Do you have a link to how these concerns come into play in underwriting?

WaitAMinuteFebruary 13, 2019 11:59 PM

Zurich Insurance "...claims it is an act of war...". On what basis? It'll be interesting to see where this goes in the courts, especially since only Congress can declare an Act of War, and given that the Cyber Act of War Act of 2016 is still only just a Bill.

Denton ScratchFebruary 14, 2019 6:17 AM

@Peter, @Matt: I am grateful for the examples that you pointed out to me. Interesting that all these examples seem to be USAian - I wonder if the European insurance industry tends to treat it more as a banking 'game'.

asdfFebruary 14, 2019 11:38 AM

Some poor logic going on in this comment thread.

Only Congress can *declare* war, but that has nothing to do with declaring an *act* to be "an act of war."

GW Bush used "act of war" in a speech shortly after 9/11 and that was enough to get all the insurance companies off the hook for paying for the damage.

Whether something is "an act of war" has nothing to do with whether this or that body has "declared" the war. The US didn't declare war on Vietnam, either. It was a "police action" that killed 60,000 US troops. And no insurance company would have paid you for damages in Saigon, no matter how much you paid in premium.

TomS.February 14, 2019 11:46 AM

@Denton, @Peter Galbavy

Underwriter's Labs has the UL CAP Cyber security Assurance program based on the UL 2900 standards.

It aims to be fairly comprehensive with infrastructure as one of its targets. I assume to be used in conjunction with some ISO guides.

I do not have experience with it but have heard representatives on various podcasts.

Re: NotPetya. Cisco's Talos Intelligence has classified it as a destructive cyberweapon. US-CERT classifies it as destructive malware with attribution to Russian military.

Simon LeinenFebruary 14, 2019 12:06 PM

Re Peter on the burden of proof:

What is important here is the fact that Zurich CLAIMS Notpetya is an act of war. Which means by common law Zurich will first have to prove this in order to refuse payment.

That may not be how it works. The way it was explained to me (for German law, may or may not apply to Swiss or whichever law applies here):

* Policyholder claims damage.
* Assurance refuses to pay.
* Policyholder sues insurance.
* Because the policyholder is the plaintiff, the burden of law falls on them -> policyholder has to prove that the assurance's excuses for not paying are invalid.

(This applies to the civil lawsuit. If the insurance presumes fraud on the part of the policyholder, it could press criminal charges against them. In that case, yes, the burden of proof would definitely not be on the (accused) policyholder.)

JonFebruary 14, 2019 12:31 PM

@ Justinacolmena

I think you are right in that there are perverted incentives at work, but it is my opinion that the real perverse incentive is the insurance industry itself.

They have a vast interest in selling as much insurance as possible, and an equally vast incentive to NOT pay out any claims.

In this matter, if the insurance company spends $30 million on lawyers and eventually grants a settlement for $30 million of the claim, that's a huge net win for the insurance company ($40mil) and its attorneys ($30mil), and a giant loss ($70mil) for the people who actually hired the insurance company in the first place.

Makes one wonder why would you hire a company that has such a huge financial incentive to actively NOT work for you? Glossy TV ads notwithstanding...

$30 million will buy a lot of attorneys and appeals. Insurance companies (I'd bet all of them) hire dozens of people from basic form processors to high-end lawyers strictly to find ways to not pay off claims - they save money in the long run, and the only hit is reputational (readily quashed by every settlement insisting upon confidentiality).

Finally, if you really want proof of the perverse incentives of the insurance industry - they make money. Rather a lot of money. They're parasitic. They do not create money. They take in money, and pay out less than they take in. On the average, therefore, you would be better off without insurance at all.

J.

Clive RobinsonFebruary 14, 2019 12:48 PM

@ ,

Because the policyholder is the plaintiff, the burden of law falls on them -> policyholder has to prove that the assurance's excuses for not paying are invalid.

The last time I had any cause to look into this --in the UK-- it was last century.

Back then to be an "act of war" the location had to be in an "active war zone" which was recognised as such --prior to the reason for claim-- by "the insurer of last resort" (which was the UK government).

Personally I think any underwriter that takes on ICT risk that is not infrastructure is mad.

Why? Because of the "army of one" principle and APT.

If you take the time to sit down and analyse what happens with any kind of malware attack you will see the following,

1, The attacker develops exoloit on their hardware using their energy.

2, The attacker packages the exploit up as a series of data/information packets.

3, The attacker delivers one or more of the data/information packets via the resources and energy of an intermediate service supplier(s) ISPs etc, to the victims host address.

4, The data/information packet now on the victimes hardware and using the victimes energy deploies the malware.

5, The malware using the victims resources attacks the victim.

That is whilst an attacker may use a lot of their own resources developing the malware, it is sent at minimal or zero cost to the victimes where it importantly uses the victims resources. We know from Massive DDoS attacks via IoT devices that a single near zero cost launch of a data packet can utilize the resources of millions if not tens of millions of sites at no cost to the attacker all over the globe near simultaneously.

This sort of "information world" attack has little or no corelation to "physical world" attacks in any form. Which means the syandard actuary tables used for calculating fire damage, physical world intrusion and theft just do not apply.

Thus an insurance company behaving honestly, could be compleatly wiped out by just one malware attack.

Something tells me that trying the "act of war" trick is indication that underwriters are starting to wake up to the real risks involved...

VinnyGFebruary 14, 2019 1:09 PM

@Jon re: "On the average, therefore, you would be better off without insurance..." In my opinion, that is generally true of insurance whether or not there are significant perverse incentives at work. The popular view of the insurance market seems to be that the insurer bears the risk - that is never true. Insurance is a mechanism for spreading risk - it is borne (fractionally) by the other policyholders. The insurer acts as administrator and middleman. Any risk that an entity can practically self-insure against, it should...

vas pupFebruary 14, 2019 2:19 PM

@Jon:"I think you are right in that there are perverted incentives at work, but it is my opinion that the real perverse incentive is the insurance industry itself.

They have a vast interest in selling as much insurance as possible, and an equally vast incentive to NOT pay out any claims."
True. Agree 100%.

@WaitAMinute: I guess we should distinguish different flavor of war: aggression against other sovereign states (not preventive strike when imminent threat exists) and defending own country or close allies being attacked, factual state of war and it is legal declaration. That is why issue is so complicated everything depends on resource allocated to win in the court. As result, see above comment of @Jon.

@Denton and @Peter: insurance business should be NOT for profit by default. The nature of insurance business is not make anybody rich neither insurance company nor person/legal entity covered by insurance, but restoring actual loses due to event covered by policy.

I think insurance business should have same model of functioning as banks, i.e. kind of FDIC(not AIG), central government reinsurance company for all other insurance companies. That mechanism will provide kind of soft government regulation of insurance business and guarantee coverage of catastrophic events when insurance company is going to exhaust its reserves and can't provide coverage.
Excess (unused) premiums insurance company should put in reserves and/or invest in the science/industry which reduce risk of covered event and/or reduce damages when covered event occurred. That basic principle should apply regardless type of insurance: health, fire, flood, you name it.

BUT, 'swamp' will never adopt such law because of powerful lobbyists for insurance business using smoke of words (that is not marketing methods, not capitalism or other similar b...l sh..t).

JonFebruary 14, 2019 3:35 PM

Incidentally, my car insurance is through the AAA, and it is a non-profit* insurance company. Every year they send me a little rebate for the money they took in and didn't pay out.

Jon

* - Doesn't mean nobody profits, though - the executives are still highly paid personally, and I imagine the lawyers likewise. The looting of "non-profits" through executive salaries is particularly egregious in the charter school industry around here. J.

albertFebruary 14, 2019 5:19 PM

Insurance companies don't want to pay claims if they can avoid it. Refusing to pay a claim will land you in court, and that can be more expensive than paying the claim. So the obvious solution is to reduce the number of claims, by encouraging and supporting things that do this. For example, the auto insurance industry supporting seat belts and later, shoulder belts for drivers, energy absorbing vehicle design and crash safety testing.

Things like the National Electrical Code are designed to reduce or eliminate fires due to faulty wiring. There are similar codes for plumbing and building construction.

There's plenty of money to be made in the insurance trade but that's going to be difficult in the IT arena. It's hard for companies to pay vast sums for protection against things that live in the ether. Such is casino capitalism that they'd rather take the risk. Since the cyber sphere is inherently insecure, I see cyber insurance as a risky business. This is an era when the customers of a business continue to use that business.
..
@vas pup,
"...I think insurance business should have same model of functioning as banks, i.e. kind of FDIC(not AIG), central government reinsurance company for all other insurance companies...."

The last thing we need is another gov't handout for business. If we had -proper regulation- of banks and insurance companies, we wouldn't have to -insure- them. This is BS. Pure and simple. Let 'em fail, then put the burden where it belongs, on execs and the shareholders.

. .. . .. --- ....


StevenFebruary 14, 2019 7:01 PM

I think insurance companies are now realizing that they have written policies against an unratable risk.

By "unratabe", I don't mean that the risk is specially large--it might be, but that's not the problem. The problem is that the risk can't be quantified by statistical methods, and it can't be managed by aggregating insureds into loss pools and then relying on those pools to exhibit statistically predictable losses.

IOW, the thing that insurance companies do doesn't work for software.

vas pupFebruary 16, 2019 12:57 PM

@albert • February 14, 2019 5:19 PM

FDIC is NOT protecting banks, but account holders up to $250 grand per bank per account in the case of bankruptcy of bank.

Same purpose of reinsurance company - protect You - person being insured, not insurance company.

ZusahFebruary 18, 2019 12:54 PM

Anyone surprised that an insurance company is trying to avoid to pay out what they should by trying what
has enough odds to just *might* work ?

Rest assured that zurichs legal team balanced the odds before they placed that war pin.

This boils down to plausible deniability, zurich claims NotPetya was a nationstate cyberattack tool & it will be interesting to read the court of laws ruling for this case.

By definition, an act of war, as war itself is nation state business.

If the insurance claim was made by a nation state, a judge might imho rule in favour of zurich, however
here I would point to the bookies in UK - that is if they provide a bet on the outcome ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.