Cyber Insurance as a risk mitigation strategy? Read the fine print, and then read it again.
Cyber insurance is widely regarded as a valid risk mitigation strategy adopted by many companies. There can be no denying the need for adequate protection against cyber attacks. The statistics are quite damning and worrying.
- Cybercrime will cost companies as estimated US$10.5 trillion annually by 2025
- 43% of attacks are aimed at small businesses
- Ransomware attacks occur once in every 11s in 2021 (up from once in 40s in 2016)
- 3 million ransomware attacks worldwide in 2021
- Ransomware generates US$1 billion in revenue for cybercriminals
In the face of increasing cyber attacks, with bolder and more sophisticated adversaries, let us look at two complexities with cyber insurance.
One of the worst cyberattacks, is the NotPetya ransomware attack around June 2017. The ransomware is called NotPetya to distinguish itself from it’s predecessor, Petya. Petya is a ransomware discovered in 2016 that targets Windows-based system, identifying and infecting the master boot records to execute a payload to encrypt the file system table rendering the Windows system effectively paralyzed and unable to boot. Unless a ransom paid in cryptocurrency is made, the system owner will not be able to regain access to the system.
NotPetya is a variant of the Petya ransomware but with a greater propensity to spread and infect other computers. Petya appears to be an encrypting ransomware that aims to make a few bucks for the perpetrator but the NotPetya was widely regarded to be a Russian state-sponsored cyber attack thinly disguised as a piece of ransomware. It is thought to be targeting quarries in the Ukraine. The tension and conflict between Russia and Ukraine predates the current armed conflict between the 2 countries which is unfolding at the time of writing.
While the Petya ransomware appeared to be motivated by financial gain, the nefarious actors responsible for the NotPetya variant was bent on pure destruction.
The damage as a result of NotPetya was significant posing a significant danger to computers and connected machines throughout the world, estimated to be in excess of US$10 billion by the US Department of Homeland Security. In comparison, the more prominent WannaCry ransomware was estimated to cost anywhere in between US$4 billion to US$8 billion globally, in part due to the identification of a kill-switch by Marcus Hutchins.
War! What is it good for?
The damage to NotPetya spread beyond the borders of Ukraine and caused incredible damage and destruction worldwide. One of the companies infected was Mondelez International. Mondelez is a multi-national food company headquartered in Chicago that makes, amongst other products, the much-loved Oreo biscuits. NotPetya infected the computer systems of Mondelez, disrupting the company’s email systems, file access, and logistics for weeks.
When the dust settles and Mondelez quantified the extent of the damage of the ransomware, it was estimated to be in excess of US$100 million. Mondelez subsequently filed a claim against the insurers, Zurich Insurance asserting that they had 1700 servers and 24000 laptops permanently damaged. The claim was contested and parties went to court. While it is not the intention of this article to dissect the legalities of the claim, it does aim to present the complexities in cyber insurance.
Mondelez claimed against the all-risk property coverage it bought with Zurich Insurance. Zurich Insurance denied the claim on the grounds that the NotPetya ransomware was widely attributed to the Russian government and that this was a state-sponsored action. As a result, the war exclusionary statements in the policy kicks in.
Does “war” in the exclusionary clause mean cyber-warfare or does that only cover the plain and common meaning of the word which includes armed conflict between two parties that exercises control over its geographical jurisdiction? How about cyber attacks initiated by parties sympathetic to a government or a cause, like Qassam Cyberfighters, but not acting on behalf of a legitimate government?
In the case of Mondelez’s claim, it is still a matter before the courts. It is interesting to note that a similar claim by Merck was found by the courts to be in their favour as the presiding courts took the view that “war” does not include cyber warfare. Regardless, the insurers will learn and adapt their policy verbiage moving forward.
Fraud with difficulty
Cyber insurance typically provides first-party and third-party insurance coverage. Third party coverage protects the insured against claims made by a third party as a consequence of a cyber attack.
First party coverage provides protection for the insured party’s data and may also include coverage for interruption of business activities. Extortion, for example payments to threat actors to release control of the data and systems, may also be included as part of first party coverage.
However, organisations may seek coverage for ransomware under other commercial policies, such as the commercial insurance policy which provides for coverage as part of protection against crime. In a case involving G&G Oil Co., the insured submitted a claim under the computer fraud provision under the crime part of the policy. Their insurer, Continental Western Insurance declined the claim on account that the ransomware is not technically a fraud but has all the features of being a theft.
The matter was found to be in favour of the insurer by the appellate courts in the United States but was then referred to the state Supreme Court which found in favour of the insured. The case hinges on the definition of “fraud”, having not being clearly defined in the policy and the manner in which the ransomware was initially introduced into the environment; by a spear-phishing campaign.
These and other claims cases over the years will invariably change the face of cyber insurance. Insurance companies will adapt, refine and formulate their policies as a natural and expected response.
Given the expected increase of cyber attacks as more enterprises digitally transform, businesses of all shapes, sizes and across industries should carefully review their critical assets to understand how, where and what types of insurance can provide them with adequate coverage. Perhaps cyber insurance policies should be augmented with other policies to provide a more holistic protection for the enterprise. Risk management professionals, working with legal experts, should keep abreast of shifts in the marketplace and exclusionary clauses in the fine prints in an ever-shifting threat landscape.
Insurance is something individuals and organisations take up hoping never to invoke. Cyber insurance should not be the chief mitigation strategy. The best mitigation is, as always, taking care of basic cybersecurity hygiene. Have a comprehensive organization-wide cybersecurity awareness programme, adopt multi-factor authentication, never click on unknown and suspicious attachments, use strong passwords that are regularly changed and establish a reliable and effective data backup strategy
1. Greenburg, Andy (22 August 2018). “The Untold Story of NotPetya, the Most Devastating Cyberattack in History“. Wired. Retrieved 1 September 2018.
2. NotPetya: How a Russian Malware created the worlds worst cyberattack ever
(Apama Banerjee- Business Standard, 30 Sep 2022)
3. How the NotPetya attack is reshaping cyber insurance
(Jospehine Wolff – Tech Stream, 1 Dec 2021)
4. Daniel B. Garrie, Don’t Fall Behind: A Cybersecurity Guide for Law Firms (Lexeprint, Inc., 2021)
Learn more about Cybersecurity with these available courses today!