Cyber Insurance Perhaps Isn’t the Answer

January 16, 2019

*Updated Monday, January 21, 2019

In June 2017, a ransomware cyber attack spread through Europe and the US affecting companies such as advertising giant WWP, law firm DLA Piper, Danish shipping and transport giant AP Moller Maersk and Mondelez, a multinational confectionery, food and beverage company. The attack, known as NotPetya, has caused billions of dollars of damage to companies, and according to US and UK authorities, Russian hackers in attempts to attack the Ukrainian government, are to blame.

Mondelez is suing Zurich for $100 million after the insurance company rejected claim following the massive NotPetya ransomware attack of 2017 citing an exclusion clause for “a hostile or warlike action” by a government or sovereign power or people acting for them. 

What is NotPetya?

NotPetya was at first thought to be an advanced variant of encrypting ransomware first identified in 2016. It was created to attack  Microsoft Windows-based computers by infecting the master boot record to execute a payload that encrypts a hard drive’s file system table. This prevents the machine from booting and consequently, the user is shown a message demanding payment in Bitcoin to regain access to their system.

However, unlike Petya (2016 variant), NotPetya spreads rapidly from computer to computer and network to network without requiring spam emails or social engineering to gain administrative access.

Mondelez NotPetya Insurance Payout Dispute

Court papers filed in Illinois disclosed that Mondelez was hit twice by NotPetya, causing 1,700 of its servers and 24,000 laptops to be ‘permanently dysfunctional’, alongside the theft of thousands of user credentials and unfulfilled customer orders. Mondelez claimed these losses fell under the provision of its property insurance policy that covered “physical loss or damage to electronic data, programs or software” triggered by “the malicious introduction of machine code or instruction”. 

Initially, Zurich agreed to make a US$100 million (£7.8 million) interim payment but this was later denied on the grounds that the attack was an act of war, therefore resulting in the lawsuit. According to the Financial Times, this case will be the first serious legal dispute over how companies can recover the costs of a cyber attack.

Professional services company, Marsh & McLennan, stated in a report that this was not an act of war: “Conflating the war exclusion with a non-physical cyber event like NotPetya grows out of two factors: NotPetya inflicted substantial economic damage on several companies, and the US and UK governments attributed the NotPetya attack to the Russian military. These two factors alone, however, are not enough to escalate this non-physical cyber-attack to the category of war or ‘hostile and warlike’ activity. These terms of art that have been considered by courts, and the resulting decisions, which are now part of the Law of Armed Conflict, make it clear that much more is required to reach the conclusion of ‘Warlike’ action.”

What were the effect of the attack? For a cyber-attack to fall within the scope of the war exclusion, there should be a comparable outcome, tantamount to a military use of force.

Who were the victims and where were they located? Did the victims serve a military purpose and did they reside near the actual conflict? The most prominent victims of NotPetya operated far from any field of conflict and worked at purely civilian tasks like delivering packages, producing pharmaceuticals, and making disinfectants and cookies.

What was the purpose of the attack? NotPetya was not a weapon that supported a military use of force. The resulting chaos caused by NotPetya bore greater resemblance to a propaganda effort rather than a military action intended for ‘coercion or conquest,’ which the war exclusion was intended to address.

So, What Does This Signal for the Cyber Insurance Market?

While the Mondelez – Zurich lawsuit is an unusual case due to the fact they had a property policy and not a dedicated cyber policy; stories of insurance companies not paying out on their cyber policies due to unclear terms and conditions is rising. 

The challenge we’ve seen for organisations purchasing cyber insurance is that all such policies require the insured to exercise “due care” in their application of day-to-day security procedures. In the event of a breach, the failure to achieve due care in the opinion of the insurance company may result in the denial of the claim. The issue is that there is no official, recorded, formal definition of what is considered an acceptable level of ‘due care’ nor how this should be demonstrated. Due care is an intentionally gray area that can encompass many aspects of security and cyber preparedness. 

Data-Driven Auditing Could Provide the Solution

Cyber insurance is a great way to safeguard yourself from the financial losses following the aftermath of an attack but it does not replace the need for good security practice.

Typically, cyber security audits have been paper-based, checkbox exercises that leave organisations with no real idea of their current risk profile, just a list of issues and generic recommendations for remediation. We found that 88% of clients have no evidence of their current risk profile and if the controls invested in actually work.

That’s why we’ve developed a cyber operations platform that allows us to conduct data-driven Cyber Risk Audits that produce meaningful, tangible, and actionable results. This provides businesses with a realistic perspective of cyber risk that enables them to build a plan of enhancement for their infrastructure, users, and the future. Conduct these on a regular basis, for example, quarterly, and the business can determine control consistency, demonstrate ongoing risk reduction and drive continuous security improvement; thus demonstrating ‘due care’.

For more information about our Cyber Risk Audit get in touch to arrange a demo.

Check Out Our Other Recent Posts >