Insurers have been quick to adapt to the rapidly changing cyber landscape. An increase in attacks and claims has quickly rendered a very profitable line of business unsustainable. Insurers have made changes in response: narrowing the parameters for coverage, increasing prices, and introducing new requirements for cover. Exclusion clauses like those published by Lloyd’s are the next step for the industry trying to balance exposure and demand.
The new exclusions prove that businesses can no longer rely on the promise of a bailout. Instead, they must take control of ransomware situations themselves.
Mondelez vs Zurich
Insurance exclusions for acts of war are common but applying these exclusions in the cyber world is often difficult.
In 2017, the NotPetya attacks targeted Ukraine but subsequently had a huge impact on other companies around the world including Mondelez. Mondelez subsequently claimed on its insurance but its insurer Zurich refused to pay out, citing the “war exclusion” clause in its policies.
This has led to a legal battle between Mondelez and Zurich. The main issue is whether the NotPetya attacks qualified as an act of war.
The new clauses from Lloyd’s favour the insurers with broader definitions of cyber activities that can be excluded from coverage.
An act of war vs ‘cyber operations’
Many of the events between nation states don’t qualify as “war”. We are not quite in a cyber-cold war, but there’s certainly a cold-skirmish or two happening and plenty of cold-jostling. The consequence of this is organisations like Mondelez getting caught in the cyber crossfire and looking to claim on their insurance.
These new clauses go beyond ‘acts of war’ to include “cyber operations” attributed to a state or “those acting on its behalf”. The parameters for a payout are narrowing, shifting the onus for protecting data onto the victims.
The challenge of attribution
It’s often difficult to attribute responsibility for a cyberattack. These clauses place emphasis on the government of the claimant to attribute responsibility, but identifying the attackers isn’t simple. There is understandably a lot of deception in cyber warfare, with attackers often intentionally leaving clues that would point to other attackers or nations.
Even if a government can identify an attacker, it might not be in its best interests to publicly attribute responsibility. Naming and shaming is a tool in the international diplomacy toolbox that will be used carefully for political purposes. Governments are unlikely to consider the impact on insurers when making such decisions.
If a government doesn’t attribute responsibility, or if it “takes an unreasonable length of time to”, the responsibility to prove attribution falls to the insurer. That seems to be a dangerous case of checking one’s own homework.
The other challenge of attribution is that cyber groups are often loosely affiliated with a government, and proving whether a group was directly controlled by or sponsored by the government is incredibly difficult. Previously, that distinction would be more important. The new clauses widen the net with “those acting on its behalf” working as a catch-all for these kinds of relationships.
Impact on policyholders
These are all very interesting machinations of the insurance and legal industries, but it’s important to work out what this means for organisations looking to protect themselves against the potential losses of a cyber incident. It’s likely that most organisations who suffer an attack probably don’t care a great deal whether the cause was a criminal trying to profit or collateral damage from a spy agency retaliating against another nation.
The key takeaway here is that businesses must now prepare to recover from ransomware attacks themselves. You can’t rely on getting your data back if you pay the attacker. You can’t rely on losses being covered by insurance policies. You must take control of the situation yourself to guarantee your organisation can survive an attack. In the event of an attack you have two options – to pay the ransom or to recover your data. Make sure you can recover your data.