Worldwide, businesses of all sizes have been purchasing cyber insurance policies to cover their assets as the risk of cyber-attack seems more and more prevalent, evidenced daily by ominous news headlines threatening finances, customer confidence and brand image.
Setting up to be a precedential case for cyber insurance, Zurich American Insurance Company is now refusing to pay out a $100 million claim from Mondelez International, one of the world’s largest confectionery, food and beverage companies (Subsidiaries include Kraft, Cadbury and Nabisco.)
The cyber-attack in question is the infamous “NotPetya” pseudo-ransomware attack that was deployed in 2017.
What is NotPetya?
“NotPetya” is a close relative of the “Petya” ransomware as it was first identified in 2016 with some distinct features that sets it into a class of its own. Where Petya modifies the disk of a computer system in a way that allowed it to be reverted, (once a ransom is paid), NotPetya does permanent and irreversible damage to the data during the encryption process. Simply put, NotPetya is simply masquerading as ransomware and there is no way an infected user would be able to recover their files.
Zurich says the NotPetya ransomware attack was actually an act of “cyber war,” and is therefore not covered by the policy.
What The Cyber Insurance Was Intended to Cover
According to Mondelez, the cyber insurance policy they held with Zurich was specifically purchased to cover “all risks of physical loss or damage” and “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of machine code or instruction.”
On account of the endless reports of data breaches at major organizations around the world, the language in which cyber insurance policies were written was intimately designed to be all-encompassing and general enough to protect businesses in the event of almost any type of cyber-attack. NotPetya easily fits the definition of “malicious code” and, thereby, it would seem to be a relatively straightforward matter of totaling up the damage, filing a claim, and waiting for Zurich to pay out.
Zurich Invokes “Act of War” Clause to Avoid Payout
Initially, Zurich had indicated to Mondelez International that it may pay out approximately 10% of the initial claim, or $10 million; however, Zurich is retracting its initial assessment, stating that the policy will not respond to the claim as it invokes special exclusion, namely a “cyber war” clause. According to the insurer, there is no coverage and will not be making any payment towards the claims if NotPetya was indeed “a hostile or warlike action in time of peace or war.”
According to Zurich, the NotPetya attack originated with Russian hackers working directly with the Russian government in an effort to destabilize Ukraine. This effort is what Zurich has in mind when it invokes the “cyber war” exclusion as a mean to avoid paying the $100 million claim.
As evidence for its denial of the claim, Zurich references the official statements of national security officials from Canadian, UK, Australian and the US governments, all of which blamed Russia for the cyber-attack in February 2018. Furthermore, each of these governments specifically noted that the very first NotPetya attack occurred in Ukraine before spreading around the world where it would eventually impact large organizations, Like Mondelez.
What Does This Mean for Cyber Insurance?
Justifiably, to say Mondelez is not too happy would be an understatement. Zurich’s actions may set a difficult precedent about what exactly cyber insurance will cover. Simply put, any time an organization suffers a cyber-attack or data breach, the insurance company may argue that it was due to an “act of cyber war” to avoid paying out on any claims made in the aftermath.
Fortunately, for Mondelez, the burden of proof falls on the insurer, Zurich. While the government intelligence agencies have made statements blaming Russia for the attack, they provided no direct proof that NotPetya was, in fact, an act of cyber war. Proving this fact will be exponentially more difficult as it is notoriously difficult to trace the origin of any attack on a computer system. Should the claim move to the courts, even a coordinated move by political forces may not hold water.
Future Exclusions for Large Organizations?
Apart from the expanding threat landscape, another major concern for the cyber insurance industry is the sheer size and scope of these attacks. According to cyber experts, the total cost of clean-up as related to NotPetya alone is approximately $80 billion. To parallel that dollar value from a natural disaster standpoint, that’s the same cost of the 2017 Hurricane Irma disaster.
The question on everyone’s mind is what would happen if the world’s leading insurers are abruptly faced with the prospect of dealing with cyber-events of this magnitude on a regular basis? The potential of the collapse of the entire cyber insurance industry is no longer unfathomable.
Considering the fact that many homeowners located on fault lines or in hurricane zones are unable to purchase insurance, it is not a stretch to assume some insurers may refuse to write cyber policies for large organizations that deal with any form of personal data and information.
Protecting Your Organization
At this point, it becomes clear that the world of cybersecurity is evolving much faster than any insurance policy or government regulation can keep up with. If nothing more, Zurich’s refusal to pay, on the grounds that the attack was an “act of cyber war,” should be considered a red flag to all businesses that, in the event of a major cyber-attack, they had better hope they have the proper defenses set in place because their insurance policy may not bail them out.
Determining the risk of an event can be an overwhelming process, especially if you’re not aware of the various types of cyber-attacks that could occur. In most cases, conducting a risk assessment is possible; however, it is recommended that your organization considers hiring a third-party organization, particularly penetration testers.