How the NotPetya attack is reshaping cyber insurance

By Explorer -

 In June 2017, when the NotPetya malware first popped up on computers across the world, it didn’t take long for authorities in Ukraine, where the infections began, to blame Russia for the devastating cyberattack that would go on to do $10 billion of damage globally. NotPetya was a component of the ongoing conflict between Russia and Ukraine, but even though it was designed to infiltrate computer systems via a popular piece of Ukrainian accounting software, the virus spread far beyond the borders of Ukraine, causing an incredible amount and variety of damage. 

One of the most consequential and as-yet-unresolved legacies of NotPetya centers on Mondelez International, the multinational food company headquartered in Chicago that makes Oreos and Triscuits, among other beloved snack foods. NotPetya infected the computer systems of Mondelez, disrupting the company’s email systems, file access, and logistics for weeks. After the dust settled on the attack, Mondelez filed an insurance claim for damages, which was promptly denied on the basis that the insurer doesn’t cover damages caused by war. The ensuing dispute threatens to not only remake the insurance landscape, but also has major implications for what companies increasingly at risk of being hacked can expect from their insurer. 

Cookies under attack   

Mondelez couldn’t have less to do with the tensions between Russia and Ukraine, but the company’s computer systems were still affected by NotPetya as it spread around the world. For Mondelez, the total damages were estimated at more than $100 million. So Mondelez filed a claim for the costs with its insurer, Zurich—only to then have that claim denied on the grounds that NotPetya was a warlike action and therefore excluded from Mondelez’s property and casualty insurance coverage. The ensuing lawsuit between Mondelez and Zurich over whether NotPetya was actually sufficiently “warlike” to trigger the exception in Mondelez’s policy will have far-reaching consequences for both buyers and sellers of cyber insurance policies. While the case remains undecided, insurance carriers and policyholders alike remain in a state of some uncertainty about what types of cyberattacks their coverage does and does not apply to, and policymakers have been slow to provide help to either side by, for instance, defining what types of assistance they might be willing to provide or what they expect from insurers by way of clarification. 

Because it caused so much damage and was driven by broader political motivations, NotPetya is one of the most closely studied cyberattacks in history. Andy Greenberg at Wired, for example, has explored the malware in terrific detail, so when he declared in August of 2018 that “​​the release of NotPetya was an act of cyberwar by almost any definition,”  it encapsulated the thinking of insurers like Zurich. Just two months earlier it had denied Mondelez’s claim for $100 million in NotPetya-related damages under its Zurich all-risk property insurance policy, pointing to the warlike nature of NotPetya. The June 1, 2018, letter to Mondelez denying their claim pointed to Exclusion B.2(a) in the company’s policy that specifically excluded coverage for any losses or damages resulting from “hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any … government or sovereign power.” Cyberwar, the company argued, didn’t fall under the purview of its property insurance policies. 

But was NotPetya really warlike? It was certainly perpetrated by a government, but that alone may not be enough to qualify it as an act of war. By the time Zurich issued its claim denial, several governments, including the United States, the United Kingdom, Canada, and Australia, had issued coordinated statements in February 2018 attributing NotPetya to the Russian government. It was perhaps the most extensively and authoritatively attributed cyberattack ever, especially in the context of breaches which often give rise to disagreements about attribution and how definitively it can be performed. But many cyber intrusions and breaches are perpetrated by governments, and if all of those are viewed as being beyond the purview of cyber insurance coverage then cyber insurance could become largely useless for many policyholders dealing with a wide range of incidents from espionage to ransomware.

That’s why the decision in the Mondelez case is so crucially important—for both insurers and their customers. If Mondelez wins that means insurers will either have to cover a much broader range of cyberattacks or rewrite their coverage to exclude new categories of damages that go beyond warlike actions. On the other hand, if Zurich wins the case then policyholders may decide that there’s little point in purchasing cyber insurance, forcing insurers to craft new language for their policies to reassure customers that at least some government-sponsored cyberattacks will still be covered.

The future of cyberinsurance 

Major insurers are already reshaping the language in their policies to prepare for the consequences of victory for either side of the dispute between Mondelez and Zurich . For instance, research by Daniel Woods and Jessica Weinkle has shown that insurers are increasingly building into their policies coverage for “cyber terrorism,” while still excluding hostile or warlike actions. The cyber terrorism coverage inclusion is presumably intended to reassure policyholders that they will be able to file claims for government-sponsored massive cyberattacks, despite the war exclusions in their policies. But the definitions of war and cyberterrorism are so ambiguous—and in many cases so overlapping—that it’s hard to see how this development does anything other than pave the way for more long legal battles like the one between Mondelez and Zurich.

Policymakers in several states and countries have taken an active interest in cyber insurance in the years since Mondelez’s suit against Zurich was filed, but they have done little to resolve the persistent uncertainty over what types of cyberattacks fall under insurance policy war exclusions. Nor have they helped clarify the extent to which existing government insurance backstops for terrorism, as laid out in the Terrorism Risk Insurance Act (TRIA) passed after the attacks of Sept. 11, might apply to cyberattacks like NotPetya, though the Treasury Department has begun soliciting feedback on how to do that. These clarifications might not resolve all of the ambiguity in existing cyber insurance policy language, but they could serve as an important first step in framing how the government defines cyber terrorism and cyber war. Those definitions would give insurers a clearer template to work from in writing their own policies and also provide policyholders with some language to compare their coverage against. Ideally, assuming the government is able to carve out a subset of cyberattacks covered under TRIA, that would also provide a clear boundary where private insurance coverage should apply: namely in all the circumstances where government coverage does not.

Regulators can do more than provide clearer definitions of cyber war and cyber terrorism; they can also help by being more careful in the way they talk about cyberattacks more generally to help avoid fueling similar legal disputes. When Senator Dick Durbin referred last year to the SolarWinds cyber espionage campaign as “virtually a declaration of war,” this is precisely the kind of quote that insurers and their lawyers seize on in lawsuits over whether or not incidents like Pearl Harbor or airplane hijackings that occur outside the timeframe of formal, legal war declarations can be considered warlike actions for insurance purposes. The results of those older legal disputes over insurance war exclusions can still be seen in the language built into policies like Mondelez’s today. The explicit designation in the Zurich policy of excluding any “hostile or warlike action in time of peace or war,” for instance, reflects changes made to insurance policies following Pearl Harbor, when some insurers denied life insurance claims on the basis that those who died at Pearl Harbor died due to an act of war. The families of those soldiers then challenged those claim denials on the grounds that the United States did not officially declare war on Japan until the day after Pearl Harbor. Accordingly, insurers began to expand their war exclusions to cover events that happened “in time of peace or war” so that they would not be restricted to only excluding events within the confines of official, legal declarations of war.

NotPetya, like Pearl Harbor before it, is already changing the ways that insurance exclusions are being written. But this time insurers are faced with the conflicting goals of trying to get themselves off the hook for coverage of catastrophic cyberattacks while still persuading their customers that most intrusions and breaches will still be covered. These conflicting pressures have led to even more confusing—and at times contradictory—language being inserted into cyber insurance policies in ways that do little to resolve any of the important and pressing issues raised by the Mondelez case. If policymakers are still hopeful that insurance will play a crucial role in helping organizations manage cyber risk, they should be actively engaging with carriers over how to establish clearer, better founded definitions of which types of cyberattacks should be covered by insurers, which types by government backstop programs, and which ones by the victims themselves.

Josephine Wolff is an associate professor of cybersecurity policy and has been associated with The Fletcher School at Tufts University since 2019.

Source: https://www.brookings.edu/techstream/how-the-notpetya-attack-is-reshaping-cyber-insurance/

Comments

Post a Comment

Popular posts from this blog

How a cyber attack hampered Hong Kong protesters

By Explorer -
Image
Massive public protests taking place in Hong Kong over the past week are aimed at a new extradition law, known as the Fugitive Offenders Ordinance , that would see accused criminals extradited to mainland China to face prosecution. Hongkongers feel the law could be used to legalise the kidnapping of people who express views, and act in ways, that are not popular with the Chinese government . The same law could also be used to extradite tourists and visitors to China who are arrested on suspicion of having committed these crimes. Protesters want the bill scrapped. For now, debate of the legislation has been postponed . Organisers say one million people turned out for the protests, while police estimate the number was around 240,000. Either way, it was a significant number of Hong Kong’s 7.5 million population. Commentators on Twitter remarked on how well organised the protesters were. So, how did they do it? Protesters across the world are using n
Read more

‘Not Hospital, Al-Shifa is Hamas Hideout & HQ in Gaza’: Israel Releases ‘Terrorists’ Confessions’ | Exclusive

By Explorer -
 According to a video of interrogation of "Hamas terrorists" released by Israel Security Agency Shin Bet, accessed exclusively by News18, "The Shifa hospital has been made with many considerations as Hamas knew that medical places won’t be attacked by the enemy. Equipment, explosives and other material has been kept there." Hamas is using hospitals in Gaza as covers and have turned them into ammunition depots, according to a video of interrogation of “Hamas terrorists" released by  Israel Security Agency  Shin Bet, accessed exclusively by News18. ALSO READ | Israel-Hamas War LIVE Updates  HERE The Israeli military has claimed that those featuring in the video released on Saturday are Hamas terrorists, who participated in the  October 7 attack  on Israel. “Most of the tunnels are hidden in hospitals. There are multiple underground levels. Al-Shifa Hospital is not small, it is a big place that can be used to hide things," a man is seen saying. “The Al-Shifa
Read more

Islam Has Massacred Over 669+ Million Non-Muslims Since 622AD

By Explorer -
Image
In fact, no ideology has been as genocidal as Islam… Islam has killed more than 5 times the number of people killed by communism. In the total numbers we have updated over 80 million Christians killed by Muslims in 500 years in the Balkan states, Hungary, Ukraine, Russia. Then we have India. The official estimate number of Muslim slaughters of Hindus is 80 million. However, Muslim historian Firistha (b. 1570) wrote (in either Tarikh-i Firishta or  the Gulshan-i Ibrahim) that Muslims slaughtered over 400 million Hindus up to the peak of Islamic rule of India, bringing the Hindu population down from 600 mil to 200 million at the time. With these new additions the Muslim genocide of non-Muslims since the birth of Mohammed would be  over 669 million murders. Islam: The Religion of Genocide Perspective:   Think the Spanish inquisition was bad? More people are killed by Islamists each year than in all 350 years of the Spanish Inquisition* combined. The Spanish inquisition ( Tribunal del Sant
Read more