You can buy insurance policies to cover damage from almost anything—dog bites, meteor showers, volcanic eruptions, stampeding cows. But if you’ve bought insurance against cyberattacks, which are among the most common and costly phenomena of our time, you may find it hard to collect on a claim.
A few big corporations recently made this startling discovery, and two of them—Mondelez International and Merck Pharmaceutical—are suing their insurers. The cases may settle some uncertainties that no one has formally contemplated, much less resolved. If the court rules against the plaintiffs, the entire cyberinsurance industry—which was created 20 years ago but has only recently started to surge—may be abandoned by clients, and the already dismal state of cybersecurity may diminish still further.
Here’s the background. In 2017, a piece of malware called NotPetya was inserted into a Ukrainian tax-software program, wiping out 10 percent of the country’s computers and shutting down vital infrastructure throughout the country before spreading to networks worldwide, crippling a host of multinational companies, including Mondelez, Merck, Maersk, FedEx’s European subsidiary, and Russia’s state oil company, Rosneft. That last one was ironic, as Western intelligence agencies concluded that the malware had been planted by the Russian government, as part of its harassment campaign against Ukraine.
Mondelez, the maker of Oreo cookies and Cadbury chocolates, filed a claim for $100 million in damages with the Zurich Insurance Group. Mondelez hadn’t taken out cyberinsurance per se, but its policy with Zurich did cover, among other things, “physical loss or damage to electronic data, programs, or software” as a result of “the malicious introduction of a machine code or instruction.”
However, Zurich denied the claim, citing intelligence agencies’ verdict that NotPetya was part of a Russian attack on Ukraine, and referring to a clause in the company’s policy exempting coverage of damage caused by “hostile or warlike actions in time of peace or war.”
Mondelez’s case against Zurich is proceeding in an Illinois court. Merck has filed a similar suit in New Jersey. The trials are likely to drag on for years because several key issues will have to be answered.
The first might be: What is cyberwar? In 2006, Secretary of Defense Robert Gates, alarmed by the incessant briefings he was receiving on cyberattacks against the U.S. military and defense companies, asked the Pentagon’s general counsel at what point these attacks could be considered “acts of war” under international law. It took two years for the counsel’s office to respond and, even then, only evasively: Yes, the reply read, such attacks might be acts of war—but the precise circumstances were left vague.
Second, to what extent can an intelligence agency’s judgment—the basis of which is probably classified—be cited to establish liability in a civil court case?
Third, Mondelez’s lawyers are arguing that the war exclusion cannot be applied because the company and its transactions took place far from the Russia-Ukraine battlefield. But what are the battlefield’s boundaries in cyberspace? Is there even such a thing as a battlefield?
Finally, as more (and more damaging) cyberattacks appear to be directed by national governments or their proxies, what is the point of having cyberinsurance if such attacks are excluded from coverage? This is the question that many clients will ask themselves if the insurers win these two cases. In other words, a tactical victory for the insurers could spawn a strategic defeat.
“There’s a mad rush for insurance companies to write cyber policies,” says Bob Gourley, co-founder and chief technology officer of OODA LLC, a strategic advisory firm. But even when cyberattacks are not offshoots of war, the coverage offered by those companies is thin.
According to Richard Clarke, CEO of Good Harbor Security Risk Management (and the White House cybersecurity chief during Bill Clinton’s presidency), these policies cover direct costs of a breach—the interruption of business, unauthorized credit card charges—and pay for subsequent credit monitoring and forensic teams. But the policies generally do not cover the much bigger losses of intellectual property, reputational damage, or theft of trade secrets.
One reason is that the cyberinsurance business began 20 years ago, when attacks were seen mainly as nuisances inflicted by malicious hackers rather than a threat to economic infrastructure and national security, much less a new “domain” of international conflict. As a result of its booming demand and its limited payouts, cyberinsurance is a highly profitable branch of the industry. However, from the standpoint of insurers, the proliferation of attacks and the size of the targets have started to outgrow their ability to reimburse the enormous damage that such attacks can inflict.
If cyberinsurance is to become a serious piece of both insurance and cybersecurity, a total rethink is required. The model, up till now, has been hazard insurance, but a better model might be health insurance. When you buy hazard insurance, you’re insuring yourself against the slim possibility of a fire or a flood; when you buy health insurance, you’re insuring yourself against the near certainty of eventual injury or illness. If you run certain sorts of businesses, cyberattacks are a near certainty—and, in some cases, potentially fatal.
This means that real cyberinsurance, like health insurance, is going to be expensive. But a real insurance market can also provide incentives for improving cybersecurity. Just as medical and life insurance policies offer discounts for people who don’t smoke or keep healthy regimens, cyberinsurance policies could do the same for corporations that maintain “good hygiene” or follow “best practices” in computer security.
Back in the mid- to late 1990s, when senior U.S. officials became aware that the internet was catastrophically vulnerable, some of them (notably Richard Clarke) advocated mandatory cybersecurity requirements for firms and government agencies involved in “critical infrastructure”—finance, transportation, electrical grids, water supply, emergency services, and so forth. The companies lobbied feverishly against the proposals. Even some Cabinet secretaries, who didn’t yet grasp the full scope of the risks, worried that “excess regulation” would stifle innovation and competitiveness. The resistance won. Even subsequent presidential orders, which at first glance seem to impose security requirements, lack enforcement clauses; they’re, in effect, nonbinding finger wags and brow furrows.
In the absence of regulations, maybe market incentives can take us part of the way toward cybersecurity. But if the insurance companies succeed in claiming war exemptions in the two cases on trial now, the last route toward even a partial solution might be closed off.