Cybersecurity Insurance Not Paying for NotPetya Losses

This will complicate things:

To complicate matters, having cyber insurance might not cover everyone's losses. Zurich American Insurance Company refused to pay out a $100 million claim from Mondelez, saying that since the U.S. and other governments labeled the NotPetya attack as an action by the Russian military their claim was excluded under the "hostile or warlike action in time of peace or war" exemption.

I get that $100 million is real money, but the insurance industry needs to figure out how to properly insure commercial networks against this sort of thing.

Posted on March 8, 2019 at 5:57 AM • 21 Comments

Comments

roenigkMarch 8, 2019 7:21 AM

Isn't this a good thing? If corporations were reimbursed for such malware attacks, in-house risk would be dramatically reduced. Their required investment to prevent same could be justifiably reduced.

Being at-risk for all damage places IT security as an existential threat to the company. The board and management would be negligent if they did not take it seriously.

Dan BentonMarch 8, 2019 7:27 AM

We were refused cyber insurance unless we used *paid-for* anti-virus. Even the insurance companies want someone else to go after for the money.

1&1~=UmmMarch 8, 2019 8:01 AM

"I get that $100 million is real money, but the insurance industry needs to figure out how to properly insure commercial networks against this sort of thing"

If the insurance industry as experts in the domain can only default on their undertakings because they are failing to carry out their primary function for which they have been paid and have liability for, how do we expect non experts to even stand a chance?

The big problem is not that the malware might or might not have been a covert or otherwise act of war, but that normal insurance models do not work.

Look at it this way, there is only so many bank vaults or homes a robber can break into in any given period of time. Thus their effect is constrained, because of this only a tiny fraction of potential targets can be attacked.

This is not the case with malware where one individual can with care develope a programme that can attack hundreds of thousands if not millions of targets simultaneously.

That is there is no averaging process over a long period of time, any kind of defensive measure would be compleatly and utterly overwhelmed, with little or no chance of 'catching in the act' by either those at the target site or any kind of law enforcment.

Thus the damage is done with effectively no opposition.

Other than running systems entirely separately of public networks there is currently little or nothing that can be done to stop or constrain such malware attacks.

This has been the case since before Bob Morris Jnr made it abundantly clear with the actually benign Morris Worm.

Which was a long time ago, since then it appears nobody has done any "figuring it out" for a solution.

Is there any indication they are going to be able to even make a guess in that direction in the same period of time again?

Nameless CowMarch 8, 2019 8:41 AM

@Dan Benton

> We were refused cyber insurance unless we used *paid-for* anti-virus. Even the insurance companies want someone else to go after for the money.

I wonder how the insurance companies can go after the anti-virus vendors. Most of the software licenses I've seen have strong disclaimers and limit the vendor's liability to zero or a very low amount if anything bad happens.

PhaeteMarch 8, 2019 8:54 AM

Nothing new under the sun, some insurance companies are are legally correct but morally criminal.

Just watch "Sicko" from Micheal Moore, about how medical insurance dodges medical claims.

How about the water damage/flood insurance that people had during Katrina, you have some nice examples of morally corruptness there.

Just another company choosing that the brand damage is less then what they have to pay out.
It's the capitalism we all love (and hate).

TimHMarch 8, 2019 9:00 AM

@roenigk: Good point. One problem is that the language around insurance pretends that the products solve the primary problem. "Protect your valuables against theft" really means "Insufficiently protect, pay us, and in some circumstances we'll reimburse you for the amount that we assess is the monetary value of those valuables if they're pinched".

The issue not addressed is that no amount of money compensates for the public release of many private (as opposed to secret) data items.

Neil FordMarch 8, 2019 9:07 AM

Apparently Mendeleze were claiming on a Property insurance policy and not a dedicated cyber insurance policy, which is partially where the problem has arisen. There was a segment at the end of a recent Smashing Security episode with an insurance expert that clarified some of this following when they misreported it as a cyber insurance.

BrianMarch 8, 2019 9:26 AM

Insurance companies are in the business of not paying claims, so this isn’t at all surprising. The two companies will probably go back and forth in court until any damage awards are eaten up by the court administrators and lawyers.

wiredogMarch 8, 2019 10:29 AM

Not surprising. My car insurance and homeowner's insurance doesn't cover damage from wars. I checked.

IIRC, the last time I looked the rider for that coverage wasn't very expensive, probably because war in the DC area is regarded as a low risk. Well, a war that wouldn't also destroy the insurance company, anyway.

@Dan Benton @nameless cow
Using paid anti-virus for insurance purposes demonstrates that you are doing your due diligence to protect yourself. Most insurance requires you to use UL Certified equipment for a similar reason. It's assumed, and possibly tested to see, that it meets certain minimum requirements. Look over your car insurance and see the list of things that you can get a discount for.

ThursdayMarch 8, 2019 11:04 AM

roenigk • March 8, 2019 7:21 AM
“Isn't this a good thing? If corporations were reimbursed for such malware attacks, in-house risk would be dramatically reduced.”

The deficiency with this position is that it’s an argument against having so-called cyber insurance coverage in the first place. Arguably this is where the world was yesterday and where we remain today exemplified by Zurich’s decision in this case...

If we need big insurance to cover cyber attacks like this and I argue that we do, they need to be experts at cyber security, which most clearly aren’t AND they need to rework old risk models that don’t work for computer security.

One of the roles that we need cyber insurers to play is to pressure companies to maintain appropriate levels of security or risk not being covered. This doesn’t work when insurers aren’t obtaining accurate assessments and refuse to pay out claims. Insurance companies must exhibit pressure on the insured by way of security standards developed and enforced by experts to constantly improve security in order to lower overall risk to maintain levels of coverage. Traditionally this is accomplished very weakly and without regard to the unique characteristics of cyber threats.

Insurance companies are by nature highly traditional and the same models that do work for say, economic loss caused by burglary, do not work in an ever changing cyber threat landscape.

With the accuracy of attribution being so poor, it is imperative that insurers figure out how to cover most any cyber incident. Cyber incidents are often attributed to one actor or another without verifiable proof and that’s a huge problem as Bruce has made clear in the past.

It seems to me that insurance companies need better methods to constantly monitor insured risk and dynamically allocate levels of coverage over time. Traditionally an insurance company does an initial assessment of risk and then sells a fixed dollar amount of coverage for ‘cyber’ incidents. Risk is rarely re-evaluated except when major changes occur to the insureds business often spanning months or years. This is unacceptable and highly deficient when assessing technology risk. By this measure, it’s no wonder why insurers like Zurich won’t pay out. We need insurers that are thinking outside the box on cyber security, more willing to cover regardless of attribution, with dollar amounts commensurate to point-in-time risk. Insurers need to be agile or perhaps a new generation of cyber insurers will be born.

Insurance companies do need to figure this out, but they won’t be able to solve this one without developing cyber competence, eliminating or strongly reworking attribution clauses and reconsidering what constitutes Force Majeure in cyber incidents.

albertMarch 8, 2019 12:12 PM

This is ridiculous.

The quoted phrase, "..."hostile or warlike action in time of peace or war" exemption....".

Doesn't that look like BS? Whoever signed a contract like that should be fined and fired. Doesn't that phrase cover anything the insurance company wants it to cover?

What am I missing here?
. .. . .. --- ....

A Nonny BunnyMarch 8, 2019 3:02 PM

@Brian

Insurance companies are in the business of not paying claims, so this isn’t at all surprising.
If insurance companies didn't regularly and reliable pay valid claims, no one would buy insurance (of their own free will.)

Impossibly StupidMarch 8, 2019 3:04 PM

It's unclear what has changed since the last time Bruce covered this. Has there ever been any substantial payout from an insurance company over a cybersecurity incident? I just don't see any way to lock down a network, especially one that's a Windows monoculture, to the degree needed to put a dollar figure on any potential future breaches for the term of a policy. There's nothing for the insurance industry to "figure out", because they're already parting money from fools. It's the fools who need to wise up and realize that cybersecurity is not a "risk" that is best addressed by insurance.

Sed Contra March 8, 2019 3:24 PM

Department of Click-Bait Titling Enhancements: suggested edit

Insurance company exploit “NotPayYa” developed in response to hacker exploit “NotPetya”

vas pupMarch 8, 2019 3:39 PM

@Brian • March 8, 2019 9:26 AM
Yes, agree.
@A Nonny Bunny: unfortunately, definition of 'valid claim' is very vague and usually not in the favor of those being insured.
Those vague (primary legalize) statements in the contract create such legal frame when the first knee-jerk reaction of insurance company is not paying claims. Yes, they do, but if the pressure escalating.

General observation(kind of not directly related to the subject): you (person, small business)could win claim against big business if you have: financial resources to hire highly paid and qualified team of legal professionals, available time to be involved, strong health to jump through the all legal hoops up to SCOTUS, but at the end you could get just moral satisfaction.
The only way is when it is class-action with multiple claimant involved. Then you may get settlement in your favor out of possibility of higher loses for big business when case is going to court.
That is why BB's lawyers include arbitration clause in most contracts.

MargaretMarch 9, 2019 8:48 AM

Zurich is denying a claim under their property policy, not a standalone cyber policy. While the property policy had affirmative cover for cyber, the extension was slapped on to a very much traditional product (ie property) with traditional exclusions (ie war exclusion) and was not fit for purpose. The property market (and the brokers that serve it) is partially to blame because they’ve been adding cyber coverage often without much underwriting or understanding of the risk, and often for no additional premium. So clients like Mondelez, probably walked away from the transaction thinking they just got themselves some cyber insurance. Zurich has every right to invoke the war exclusion since it’s there, but proving their point will be close to impossible.
If Mondelez has bought a dedicated cyber policy, there would be no issue, as new generation policies often have an exclusion for claims arising out of kinetic war only- so war in a traditional sense, not cyber activities such as NotPetya. Of course these products are not cheap, so Mondelez went the route of free “cover” under their property policy. Before everyone gets their knickers in a twist saying that insurers sold a subpar product, please remember that Mondelez are big boys, dealing with big boys brokers, so they have the expertise to assess what they’re actually buying.

gordoMarch 9, 2019 5:30 PM

What Mondelez v. Zurich May Reveal About Cyber Insurance in the Age of Digital Conflict
By Brian Corcoran | Lawrare | March 8, 2019

Leonid Bershidsky at Bloomberg warned that if courts take government attribution at face value as a basis for excluding damages from policy coverage, the nascent cyber insurance market will be set back on its heels and businesses will suffer. Others have simply argued that NotPetya was not a “warlike” action for civil purposes, irrespective of the U.S. government’s public statements, and that it might better fit the definition of what President Obama once called “cyber vandalism.” Still others have argued that the case is an example of how private industry and courts need an independent panel of attribution experts, as Microsoft proposed in 2016, as public attributions of cyberattacks by governments do not include the underlying intelligence. Many of these views wryly note the shift to a world where every major insurer and insured must consider how the law of armed conflict might apply in cyberspace—an unenviable task, considering the universe of unresolved questions and the failure of the 2016-2017 United Nations Group of Governmental Experts to come to consensus.

https://www.lawfareblog.com/what-mondelez-v-zurich-may-reveal-about-cyber-insurance-age-digital-conflict

MondelexyzMarch 10, 2019 2:27 PM

Per the Lawfare article

“Mondelez estimates that the direct (computer damages) and indirect (supply and distribution disruptions) costs of the malware damage total over $100 million.”

Millions for repair and mitigation but not one cent for prevention ?

CBMarch 11, 2019 4:36 AM

It's all normal. Private insurance companies don't cover war damages because those are the domain of public service.
Protection of civilians and properties from external threats in situation of war is public service duty. This is outside private insurance scope.
If the government says it's an act of war, they are effectively saying that they are taking charge of the damage themselves.
Private insurance companies may act as proxies if the procedure allows it. But money will come from state and/or federal pockets, not their own.

JeremyMarch 11, 2019 3:28 PM

@Impossibly Stupid: Note that this is the EXACT same case that Bruce blogged about a month ago, not a separate incident forming a pattern.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.