The ramifications from the 2017 NotPetya attack, which the US government said was caused by a Russian cyber-attack in Ukraine, continues to be felt worldwide as now cyber insurers are modifying coverage exclusions; that is - expanding the definition of these attacks as an "act of war." This 5-year-old cyber-attack appears to be leading the insurance industry on its head.
Mondelez International, parent of such popular brands as Cadbury, Oreo, Ritz, and Triscuit, was hit hard by NotPetya, with factories and production disrupted. It took days for the company's staff to regain control of its computer systems. The company filed a claim with its property and casualty insurer, Zurich American, for $100 million in losses. After initially approving a fraction of the claim — $10 million — Zurich declined to pay, stating the attack was an act of war and thus excluded from the coverage. Mondelez filed a lawsuit.[1]
Late last month Mondelez and Zurich American reportedly agreed to the original $100 million claim, but that was not until after Merck won its $1.4 billion lawsuit against Ace American Insurance Company in January 2022 for its NotPetya-related losses. Merck's claims also were against its property and casualty policy, not a cyber insurance policy.
Back in 2017, cyber insurance policies were still burgeoning, so many large corporations filed claims for damages related to NotPetya, the attack that caused an estimated $10 billion in damage worldwide, against corporate property and casualty policies.
So, What Changed? The significance of these settlements show an ongoing evolution of the cyber insurance market, says a senior analyst at Forrester Research. Until 2020 and the COVID-19 pandemic, cyber insurance policies were sold in a fashion akin to traditional home or auto policies, with little concern for a company's cybersecurity profile, the tools it had in place to defend its networks and data, or its general cyber hygiene.
Once a large number of ransomware attacks occurred that built off of the careless cybersecurity many organizations demonstrated, insurance carriers began changing their requirements and tightening the requirements for obtaining such policies, Forrester says. The business model for cyber insurance is dramatically different from other policies, making the cyber insurance policies of 2017 obsolete. Cyber insurance is in a state of flux, with turnover in the carrier market, lower limits on covered offered, and more aggressive terms, including exclusions, over what was in place prior to 2020.
Defining an Act of War: Acts of war are a common insurance exclusion. Traditionally, exclusions required a "hot war," such as what we see in Ukraine today. However, courts are starting to recognize cyberattacks as potential acts of war without a declaration of war or the use of land troops or aircraft. The state-sponsored attack itself constitutes a war footing, the carriers maintain.
In April 2023, new verbiage will go into effect for cyber policies from Lloyd's of London that will exclude liability losses arising from state-backed cyberattacks. In a Market Bulletin released in August 2022, Lloyd's underwriting director Tony Chaudhry wrote, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage." Lloyd's went on to publish additional supplemental requirements and guidance that modified its rules from 2016, just prior to the NotPetya attack.
Effectively, Forrester notes, larger enterprises might have to set aside large stores of cash in case they are hit with a state-sponsored attack. Should insurance carriers be successful in asserting in court that a state-sponsored attack is, by definition, an act of war, no company will have coverage unless they negotiate that into the contract specifically to eliminate the exclusion. When buying cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms," says Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg. "Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms."
For small and midsize businesses (SMBs) that get hit by a state-sponsored attack, it could be "lights out," Forrester says. Plus, she emphasizes, SMBs often are targeted if they are primary or secondary suppliers to a large enterprise with information the attacker wants. That means a state-sponsored attack on a small company without the right insurance coverage could be out of business simply because the attacker was a nation-state rather than a cybercriminal.
One MUST understand what is covered. While the European and North American cyber insurance markets are similar, they are by no means identical. "Not every [American] policy will have language recommended by the London insurance market, and those rules do not apply to American insurance carriers. As a best practice, policyholders should consider whether London market insurance carriers are offering the most robust coverage after the recommended changes go into effect” said Barnes and Thornburg. "This case is an example to policyholders that when claims get really expensive, carriers will do everything they can to fight coverage. The insured always should remember that the insurance carrier must prove that an exclusion applies. And sometimes," they explain, "the insured will need to litigate with its carrier to get the coverage it thought it was buying."
The upshot from the Merck and Mondelez cases, as well as Lloyd's recent announcement: State-sponsored attacks now fall into the act-of-war exclusion. "Many carriers are in the process of rewriting their act of war exclusions to address the realities of state-sponsored or assisted cyberattacks and also because courts, as indicated in a few recent decisions and perhaps implied by the Mondelez settlement, are looking skeptically at the application of clauses written for traditional guns and bullets warfare to cyberattacks," says the New York law firm Barton. "I think this is the most significant takeaway from Mondelez and those recent court decisions. Carriers who update their clauses will be more aggressive in denials of coverage for attacks that may be considered state-sponsored, while those that do not update the clauses may be less inclined to rely on them."
Red Sky Alliance works with Cysurance to offer cyber insurance protection. This cyber environment is clearly evolving on a yearly basis and sound cyber protection and proper insurance is a must for any business.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.darkreading.com/edge-articles/amid-notpetya-fallout-cyber-insurers-define-state-sponsored-attacks-as-act-of-war
Comments