Four years after NotPetya, cyber insurance is still catching up

Faced with increasing payouts and a likely storm of litigation around the recent SolarWinds and Microsoft Exchange server compromises, cyber insurers are facing an “existential battle” for their future, a leading cybersecurity researcher and privacy consultant has warned. Likewise, businesses are grappling with whether to get cyber insurance, over doubts about payouts if attacked from the conflicted cyber insurance industry.

A growing body of evidence had confirmed cyber insurers faced major payouts in the wake of massive attacks such as 2017’s NotPetya, which caused billions of dollars’ worth of damage and brought many global businesses to their knees.

That attack, which came just 20 years after the world’s first cyber insurance policy was written, proved to be a major touchstone in the evolution of an industry that, one researcher believes, is still “in its early days” when it comes to understanding the full scope of cyber risk exposure.

Cyber insurance’s rocky road and continued uncertainties

“There have been a lot of attacks over the years that have caused insurers to lose sleep,” said John Selby, head of research and training at privacy risk management consultancy Privcore and a researcher at Macquarie University’s Faculty of Business and Economics, during a recent presentation at the recent AISA CyberCon conference.

Cyber insurance policies “tend to be much narrower in their scope” than other types of insurance, Selby said, although that had proven to be a challenge for underwriters that “have a much smaller pool of historical data upon which to model the risk for cyber insurance, so [pricing] your policy is a big challenge for them. … They are hesitant to offer coverage against events where the probability of an occurrence is ambiguous.”

Widespread attacks like NotPetya introduced further complications through aggregation risk—“the possibility that many policyholders will simultaneously suffer numerous losses from a single cause or event,” Selby said—“and that sends a deep shiver down the spine of insurance brokers and underwriters because an aggregated risk may lead to bankruptcy for insurance if they have inadequate financial reserves.”

Many insurers had limited liability for cybersecurity losses a tenth of the $1 billion-plus property and public-liability policies that conventional business insurance offers, leaving some affected companies paying out of their own pockets—or trying to find ways to apply other business policies—after NotPetya racked up a devastating toll.

One of the most severely hit companies, food giant Mondelēz, ended up launching legal action against its insurer, Zurich Insurance, for $100 million after the company refused to cover its losses from NotPetya because the company’s policy wouldn’t cover hostile or warlike action initiated by governments or sovereign powers. Zurich’s contention that NotPetya was an act of war “is easy to claim, [but] more difficult to prove in court,” Selby said.

That action is still stumbling through the US court system, but with insurers increasingly likely to call on such exclusions to avoid payouts from cybercriminal attack—and increasingly common nation-state hacking making it more important than ever for companies to correctly attribute breaches to their source—clear expectations around cyber insurance have never been more important.

Setting expectations has been particularly challenging for small businesses—which, Cynch Security CEO Susie Jones warns, are still marginalizing themselves due to “a misconception out there that cyber insurance doesn’t pay up. … I’ve regularly heard from people across the tech industry say there’s no point buying cyber insurance because they don’t pay,” Jones told a recent AustCyber industry forum, “but from everything that I’ve seen, the data has absolutely nothing to support that perception.”

As a security consultancy, Cynch recommends cyber insurance to “the vast majority” of its clients “not simply because of the dollars attached and being able to reimburse the costs, but because of the access to experts—experts and lawyers and digital forensics experts and everybody that you need to help you appropriately respond to a cyber incident.”

Yet getting to that point still required effort on both sides of the table, she said, noting that many cyber insurance brokers were still undereducated about appropriate cybersecurity protections, and many small-business owners still struggled to convey their information-security status.

“If the small-business owner doesn’t understand what’s being asked of them, and the broker doesn’t also, that means the conversation doesn’t progress,” Jones said. “So we really need the tech industry and the insurance industry to start talking to each other, to acknowledge the benefits of each other and to really start playing ball.”

When liability hinges on semantics

Yet protectionism continues to dominate an industry fighting for viability.

Even as the cybersecurity industry works to build an industry—and spread its risk—its engagement with small businesses, high-profile breaches, and their attendant litigation often remains mired in semantics.

When Sony was attacked in 2014, authorities shied away from calling it an act of cyberterrorism, Selby said, “because they recognized that would have an effect on insurance coverage issues; they called it ‘cybervandalism’ instead.”

Semantics had become equally contentious in litigation raised by NotPetya victim Merck, which sued its insurers after being compromised—but tried to claim both under its $275 million cyber insurance policy and under nearly two dozen other business-interruption policies it believed should help cover losses estimated at $1.3 billion.

To avoid potential claims about NotPetya being a nation-state action, Merck’s complaint “doesn’t mention the word ‘NotPetya’ at all,” Selby noted. “They refer to it as a network-interruption event from a malware or ransomware infection. … They’re trying to make it a generic issue to the court, and perhaps strategically downplay the ability of the insurers who are denying coverage” under act-of-war clauses that, he added, notably have “no requirement under the war exclusion for it to be a kinetic [physical] war.”

Prior cases—relating to cyber damages and real-world incidents—had established a range of precedents based on issues such as whether a state of war was currently in place, whether the groups causing the damage were allied with a sovereign government, and other factors.

“Inconsistent language, and minor differences in language in policies, can have a significant effect on the outcome of a claim for the same event,” Selby said, “so read your policies very carefully.”

Ultimately, he said, attribution of responsibility for a cyberattack can have a major impact on the outcomes of a claim—and successful attribution will require both identification of the individual and organizations that perpetrated the attack, and evidence that those individuals “acted under state authority.”

Attribution ultimately occurs through one of four means, Selby said: by indictment, by sanctions, by technical alert, and by press release.

Even as cybersecurity attacks continue at pace and companies scramble to recover after damages and business interruption, Selby warned CISOs to be aware of the ever-changing situation—with many insurers changing the wording of their cybersecurity insurance policies in the aftermath of NotPetya.

“The aggregated risks in other insurance policies have the insurance industry quite terrified,” he said, “because they’re worried it will affect either their solvency or their credit ratings, and their ability to pay policies out generally because they’ll go bankrupt.”

Four years on from NotPetya, the ongoing cadre of lawsuits “are symptoms of broader problems” in the way cyber insurance policies are written and enforced, Selby said. “Cyber modelling for catastrophic losses is still in its infancy,” he said. “Insurance needs to be a sustainable long-term bargain, and we’re not there yet.”