Due to the evolving and growing impact of cybersecurity incidents there are some questions starting to arise about the way that insurance companies deal with the costs that are the results of such incidents.
Cyber insurance is a form of cover designed to protect your business from threats in the digital age, such as data breaches or malicious hacks on work computer systems. But cyber insurance comes in different flavors and sizes. Some policies only cover the results of a data breach, while others are supposed to cover the entire spectrum of costs that are the result of a cyber incident.
Pharmaceutical giant Merck & Co. has successfully sued its insurers who had denied coverage for NotPetya’s impact to its computer systems pointing to a clause that made an exception for acts of war. Merck suffered US$1.4 billion in business interruption losses from the NotPetya cyberattack of 2017 and made a claim against "all risks" property insurance policies providing coverage for losses resulting from destruction or corruption of computer data and software.
What was NotPetya again?
Petya, created in July 2016, started off as one of the next-generation ransomware strains that utilizes a Master Boot Record (MBR) locker. In the early days of ransomware, strains that modified the startup of a system were popular, but they had died off many years ago.
NotPetya was the name given to a ransomware variant coded to erase a unique and randomly generated key used to encrypt the MFT (Master File Table). The destruction of the Salsa20 key made it very unlikely that users would be able to receive a working decryption key – even after paying the attackers ransom demands. As soon as that fact became clear, it was no longer considered an actual ransomware, but more a destructive malware under the guise of ransomware.
An act of war?
Based on information released by security researchers, a Ukrainian accounting software company called Me Doc pushed an update, which installed the NotPetya malware on the “victim zero” system. Then, using a mix of PSExec, WMI, and EternalBlue, it was able to spread to every other computer on the network. This is very likely the reason why Merck’s insurance company claimed this malware attack could be attributed to Russia’s military intelligence agency, deployed as part of the ongoing conflict with Ukraine.
Insurance policies often contain exclusions barring coverage for war or warlike action. But New Jersey Superior Court Judge Thomas J. Walsh ruled that Merck’s insurers can’t claim the war exclusion because its language is meant to apply to armed conflict. The ruling noted that insurers didn’t change the war language to put companies like Merck on notice that cyberattacks wouldn’t be covered, despite a trend of attacks by countries like Russia hitting private sector companies.
Merck isn't the only company that's run into conflict with its insurance company over NotPetya. Zurich Insurance Group AG used government attributions of the attack to Russia as a reason to deny payments for damages to snack giant Mondelez, and there have been explorations of the idea in the insurance industry ever since.
Lloyd’s of London
Other insurance companies are making changes to what they intend to cover under their cyber insurance policies.
For example, major insurance firm Lloyd’s of London issued a bulletin indicating that its cyber insurance products will no longer cover the fallout of cyberattacks exchanged between nation states. The insurer said that damages from cyber war between countries would no longer be covered, and that this definition extends to operations that have “major detrimental impact on the functioning of a state.”
Lloyd’s says that it no longer wants to deal in losses that result from cyber war. As the firm defines it, this means cyberattacks during a formal state of war as well as retaliation by one state against another.
These developments are becoming mainstream, and insurers have begun pulling back on cyber coverage. A recent study finding that Lloyd’s syndicate members cut coverage by about 50%, and charged higher premiums in 2021 due to the global impact of ransomware attacks.
The New Jersey Superior Court's decision is heavily reliant on the doctrine of "reasonable expectations of the insured" under New Jersey law which construes insurance policies in favor of policyholders. This means that courts in other areas may rule different.
There's also the possibility that insurance companies may have made exclusions that were worded more clearly in their own favor.
Depending on the wording of the exclusions, attribution may become a deciding factor. But, as everyone in the cybersecurity industry can tell you, attribution is hard, especially where it concerns state-sponsored threat actors whose prime responsibility is to not get caught. And, if they get caught, deny who they are working for.
So, it's likely that issues like this will be settled in court more often. What remains true, is the old saying that prevention is better than cure.
Stay safe, everyone!