back to article Cyberlaw wonks squint at NotPetya insurance smackdown: Should 'war exclusion' clauses apply to network hacks?

The defining feature of cyberwarfare is the fact that both the weapon and the target is the network itself. In June 2017, the notorious file-scrambling software nasty NotPetya caused global havoc that affected government agencies, power suppliers, healthcare providers and big biz. The ransomware sought out vulnerabilities and …

  1. Anonymous South African Coward

    This is food for thought.

    And the future certainly looks scary.

    High time I get out of IT, to start chicken/sheep/goat/alpaca farming somewhere in the boondocks without anything IT.

    1. Warm Braw

      I think you'll find the IT elite have beaten you to it.

      1. GnuTzu

        Then who's minding the store? Oh, uh, that's a vulnerability in itself. Fasten your seat belts. We're in for a bumpy ride.

  2. Anonymous Coward
    Anonymous Coward

    Its Zuric.....

    I have the misfortune of working in the insurance industry and I'm not surprised to see Zuric's name is on this they have a long and sordid reputation as hard-boiled B$%^&*£'s that will try anything no matter ho amoral to avoid coffing up.

    1. alain williams Silver badge

      Re: Its NOT JUST Zurich.....

      That is how most insurance companies work.

      Many years ago I spent some time at a large UK insurance outfit [think: nodding dog]. They had 2 floors where people earned commission: sales, well that I expected; claims - as understood it part of their commission was on how much less they could persuade claimants to accept as settlement, these people where experts up against insurance novices (like you & me) and convinced large numbers to agree less than they rightfully should have had.

      1. Chris G

        Re: Its NOT JUST Zurich.....

        The job is Loss Adjustment, i e. finding a way of reducing pay outs.

        All insurance companies are weasels, having wirked a little in the Industry, I would describe them as very similar to casinos where the numbers always favour the house except for that odd occasion where a winner breaks the bank.

        Then they change the rules so that it can never happen again.

        1. Anonymous Coward
          Anonymous Coward

          Re: Its NOT JUST Zurich.....

          Technically there are no winners in insurance. It's not suppose to leave you better off.

          However, as with any industry, greed is inexcusable when applying fees and payouts.

    2. Shady

      Re: Its Zuric.....

      A good few years ago a mate was getting into photography in a big way and spent loads of money on cameras and gear.

      He called his insurance company (on the phone) and added "valuable items in transit" cover.

      When his car was broken into and his gear stolen the insurance co. refused the claim - because he couldn't prove he was transporting his high value items to or from a safety deposit box, as specified in the small print.

    3. Huw D

      Re: Its Zuric.....

      Yeah, I was reading a client's cyber-liability policy and some of the definitions seemed a bit vague, to the point that the insurer could wangle its way out of paying.

      The most obvious one is the definition of "hack"

  3. alain williams Silver badge

    Hopefully a cyber attack will be found to be an act of war

    be that a formal war or guerilla warfare.

    It would make organisations take security seriously. Currently they can pay lip service knowing that insurance will pick up the tab. This can be thought cheaper than doing a proper job.

    It should also lead to choosing business platforms that are less prone to such attacks (I'm looking at you Microsoft) and better staff training.

    Also: in many cases the real people affected are not compensated: if a customer's data is exfiltrated and sold to the highest bidder it can hurt. Most customers suffer little ill effect, some are hit hard - it is difficult to tie one person's woes back to a particular organisation's cyber attack.

    If it is not found to be an act of war: then expect more insurance companies to add this sort of thing to the list of exclusion clauses.

    1. rcxb Silver badge

      Re: Hopefully a cyber attack will be found to be an act of war

      Nonsense. Companies will just shop around for other insurance without such an exclusion. It's the kind of trick you can only pull on your clients, once.

    2. Natasha Gooden

      Re: Hopefully a cyber attack will be found to be an act of war

      The interesting nature of the case highlights how a cyber attack can have many different effects and legal implications.

      Whilst for companies and from a consumer protection perspective it may be attractive for the court to rule in favour of there being an act of war.

      However, from the international law perspective extending the traditional boundaries regulation hostilities and warfare could be detrimental. To date, States have not affirmed that any cyber-attacks have reached the level of cyberwarfare. Attribution within international law is extremely challenging in the cyber domain and more often portray political agendas. Therefore, from an international legal perspective, it would not be surprising if the attack is not found to be an act of war.

  4. SotarrTheWizard

    Consider the flip side of the argument. . . .

    . . . . if a cyber attack is an act of war, then retaliating via armed force is on the table. And the more important question: what is the cyber equivalent of a Weapon of Mass Destruction ???

    1. JimmyPage

      Re: cyber equivalent of a Weapon of Mass Destruction

      Adobe Flash ?

      Windows ?

      1. SotarrTheWizard

        Re: cyber equivalent of a Weapon of Mass Destruction

        No, those are Weapons of Mass DUH-struction (grin)

    2. Anonymous South African Coward

      Re: Consider the flip side of the argument. . . .

      . . . . if a cyber attack is an act of war, then retaliating via armed force is on the table. And the more important question: what is the cyber equivalent of a Weapon of Mass Destruction ???

      Stoned Virus updated?

    3. IceC0ld

      Re: Consider the flip side of the argument. . . .

      And was Jerusalem builded here

      Among those dark satanic mills?

      1. Anonymous Coward
        Anonymous Coward

        Re: Consider the flip side of the argument. . . .

        No, it wasn't.

        (And the dark Satanic mills are churches, anyway.)

      2. IceC0ld

        Re: Consider the flip side of the argument. . . .

        so doesn't anyone here recall the Jerusalem virus then

        it was before my time [1987 IIRC] but it was a classic, and could still, I imagine, give some systems a kicking if it ever gets an 'upgrade'

        1. Anonymous Coward
          Anonymous Coward

          Re: so doesn't anyone here recall the Jerusalem virus then

          I do ... I improved it and released it into the wild.

          My version had no payload (I'm not a moron) but simply infected all .COM files on a computer and when it could no longer find any, it quietly *un*infected them again until the machine was clean. By which time (hopefully) it had spread.

          It was part of a Proof Of Concept that you could create a 2-part virus, with each part harmless, until combined on the same machine.

          Whether anyone took up my baton, I can't say. the absence of any reports of malware working that way today suggests not.

  5. Alexander J. Martin

    The "physical loss or damage" clause is key, no?

    Zurich has spent a lot of time stating that it has a cyber insurance policy which Mondelez did not purchase, instead claiming the damage it suffered from NotPetya against a property insurance policy. The "physical loss or damage" clause and how that's interpreted is key, no?

    Also, a lot of cyber insurance policies will be the requirement on companies to keep their systems patched - and Microsoft had issued a patch for the SMB vulnerability months before. Surely it can't be that Mondelez (revenue $25bn) claims it had exercised due diligence?

    1. tfewster

      Re: The "physical loss or damage" clause is key, no?

      "all risks of physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."

      Sorry, but that sounds like Cyber insurance to me. And Zurich haven't tried the "due diligence" getout, but went for the "act of war" excuse. So that's what we're discussing.

      1. Alexander J. Martin

        Re: The "physical loss or damage" clause is key, no?

        Mondelez isn't claiming for damage "to electronic data, programs, or software" though, it's claiming for damage to "electronic data processing equipment or media" as the complaint states in paragraph eight. It is certainly a matter of interpretation. And it isn't cyber insurance because Zurich has a specific policy for that which would probably have required Mondelez to patch in a reasonable amount of time.

        1. Anonymous Coward
          Anonymous Coward

          Re: I agree.

          Software being covered under the standard policy is standard. Covers licence fees for replacements (disks in the old days!).

          Cover for loss of data. That's a separate addition (even on consumer policies).

  6. EC3

    Yeah, but...

    "Zurich's use of this sort of exclusion in a cybersecurity policy could be a game-changer" - except it's not a Cyber policy, it's a Property policy. If Mondelez had purchased a specialised cyber policy, they would be unlikely to be having this issue.

  7. Jon 37

    It doesn't matter if it's war

    Who cares about what some treaty says about war?

    As far as the insurance policy goes, the wording (as quoted in the article) is: "hostile or warlike action in time of peace or war" by "government or sovereign power; the military, naval, or air force; or agent or authority"

    The relevant bit is: "hostile ... action ..." by "government or sovereign power; the military, naval, or air force; or agent or authority".

    This was clearly a hostile action. Assuming the attack can be pinned on Russia, their armed forces or their agents, then the policy exclusion applies, and the insurer won't have to pay.

    Arguing over whether it's "warlike" misses the point. Arguing over whether some other treaty means also completely misses the point. The contract means what it says.

    If the insurer had wanted to exclude "armed conflict as defined under International Humanitarian Law" then they could have said that in the contract, but they didn't. They deliberately made the choice to have a much wider exclusion, and their customer accepted that.

    1. IceC0ld

      Re: It doesn't matter if it's war

      The contract means what it says.

      the contract means what the insurer says it means .............. FTFY

      1. John Brown (no body) Silver badge

        Re: It doesn't matter if it's war

        "the contract means what the insurer says it means .............. FTFY"

        They're suing over it, so "the contract means what the judge says it means" FTFY :-p

    2. katrinab Silver badge

      Re: It doesn't matter if it's war

      If they had paid the bitcoins, would they have gone to the Russian government?

      I don't think so, so therefore it wasn't an act of war, it was the digital equivalent of someone turning up with a gun and demanding money to go away.

    3. batfink

      Re: It doesn't matter if it's war

      "Assuming the attack can be pinned on Russia" is a big assumption, especially considering that Russian companies were hit by NotPetya as well. Yes of course the US & UK have pointed the finger at Russia but that's hardly unexpected. Had it been this week the Iranians would've been fingered.

      Yes it certainly seems to have been a "hostile act", as it seems to just have been destructive. That in itself is a bit weird for a nation-state-sponsored attack. What would be the point? That feels more like non-state action to me.

      However of course there is always the cock-up vs conspiracy angle. Fuck-up with the ransomware part perhaps (non-state)?? Fuck-up with it getting loose way beyond its target perhaps (state)??

      So, pass the popcorn please...

    4. Natasha Gooden

      Re: It doesn't matter if it's war

      Whilst the case itself does concern a contractual dispute, the journal wanted to highlight how within the domestic or international legal field many terms are used to describe 'cyber-attacks', 'cyber hostilities' and also 'cyber warfare'. Often the terms are used interchangeably by different actors as there is currently no consensus surrounding definitions.

      With regards to the International Humanitarian Law aspect, the journal portrays the significant change within modern warfare and also how the lines of conflict and hostilities are being blurred beyond the parameters of traditional regulation. Where a range of actors, such as private companies and other Non-State Actors are affected by cyber-attacks. It reflects the current legal hurdles both States and private companies face in protecting and responding to cyber-attacks - where currently there are no clear cut answers in the international legal framework.

      To date, States have been reluctant to define cyber warfare, therefore the courts ruling may provide insight into further understanding at the international level and also bring together understanding from different legal regimes and also different fields that attempt to regualte cyber issues.

  8. Doctor Syntax Silver badge

    "If Zurich's approach is successful, it could also lead to a loss of confidence in cyber insurance as an investment – ironically devaluing Zurich's product."

    Even more ironically it might mean ransomware doing less damage as businesses realise they have to protect themselves instead of just relying on insurance.

  9. Anonymous Coward
    Anonymous Coward

    Were Zurich the insuer. or *re* insurer ?

    $76 million sounds like a lot under a regular policy. Most policies start hiving things off to reinsurers at about £10,000,000. At which point the insurer has done their job (and accepted the claim) and it's the re-insurer that stands to lose. Hence they fight harder.

    Have to be AC for this, but I worked for the company that insured the car driven by the gentleman who drifted off the road (literally) and crashed an intercity - killing some. That burst through the £10,000,000 policy in no time (you'd be amazed how expensive trains are - far more than peoples lives) and the re-insurer went all the way to the high court to try and wriggle out of it.

    (They failed by the way - the court held that Network Rail could not be held liable for something as unexpected as a car coming off the road where it did ....)

    1. John Brown (no body) Silver badge

      Re: Were Zurich the insuer. or *re* insurer ?

      "(They failed by the way - the court held that Network Rail could not be held liable for something as unexpected as a car coming off the road where it did ....)"

      ...and the renewal premium probably went up massively so I guess that's why Network Rail spent millions putting new stronger barriers along the roads wherever a road bridged a railway line to bring it back down again by demonstrating the extra safety measures.

      It's the usual response which normally gets blamed on "'elf'n'safety" when the reality is it's usually the insurance companies forcing people to spend more to minimise the risk, sometimes beyond economic viability.

  10. usbac

    Prove it

    I think the hardest part for Zurich is going to be to prove Russia's state involvement. At least to the standards of evidence that a court of law requires. It's one thing for the US government to say they "think" Russia was involved, but where does Zurich think they are going to get documented evidence that shows direct control by Russia's government and that meets "the preponderance of evidence" requirement of a civil court?

    1. Claverhouse Silver badge

      Re: Prove it

      I think the word of the President of The United States is enough for any court.

      Be he Reagan, W., Obama, or Donald, the Free World trusts these men implicitly.

      1. Synkronicity

        Re: Prove it

        You should add an '/s' or some other identifier to let us know you are being sarcastic rather than idiotic.

    2. tfewster

      Re: Prove it

      Cyber insurance policies can reject claims for all Cyber attacks because Government Agencies tell us all Cyber attacks are state sponsored by baddies (usually supposedly "technologically advanced" countries like Iran or North Korea [total coincidence that we're against them for other reasons], but not China [because we're really scared of them]).

    3. Natasha Gooden

      Re: Prove it

      I also agree - identifying and proving Russia's State involvement will be complex.

      Attributing a cyber attack to any State or private entity is a notorious challenge in cyberspace and often very political in nature within international law. This may be why States have not found that cyber-attacks/cyber wars to have reached the thresholds to date. Whilst then allowing States may then use cyber means in their favour to continue without facing a legal burden. The court proceedings and the outcome will be highly awaited.

  11. Anonymous Coward
    Anonymous Coward

    Cyber war

    Some folks hit by ransomware actually believe that military strikes should be considered a "proportional" response.

    1. c1ue

      Re: Cyber war

      What would you hit? bitcoin servers or protonmail?

  12. This post has been deleted by its author

  13. Anonymous Coward

    Cyberwarfare target is the network itself?

    The defining feature of cyberwarfare is the fact that both the weapon and the target is the network itself.”

    With all due respect I must beg to differ. That would be like blaming the highway for car crashes. In actuality, the defining targets are the computing systems connected at either end.

    1. Glen 1

      Re: Cyberwarfare target is the network itself?

      Depends on how you define network. A switch is simultaneously part of the network, and one of the targeted computing systems plugged in at either end.

      In many (most?) contexts, the network 'begins' at whatever pipe you have to the internet. From that point in, there is at least the *possibility* of some control.

  14. This post has been deleted by its author

  15. defiler

    If this is accepted by the court as an act of war, that impress that we are constantly on a state of conflict; permanently at war.

    How do you think the military industrial complex (using that term despite the risk of everyone thinking I'm wearing a tinfoil hat) will respond to that? How will governments respond to that?

    Do I get paid a combat allowance?

    1. Natasha Gooden

      The case itself does raise many questions and highlights how there is no clear cut position between 'cyberwar' and 'cyber peace'.

      States themselves have been reluctant to define any acts as meeting the threshold for war. Which could be due to the complexities of the regulation which would then become applicable to the situations. As it can be seen in the article cyber activities do push the boundaries of the traditional regulation.

      A further problem you highlighted is in regard to States/governments and how to respond. Most cyber activities are deemed below the threshold therefore with regard to an international legal response; countermeasures are becoming the most suitable response, although they are not without their legal burdens. However, with the involvement of private eneities, and this case directly this position is only challenged further. Therefore, due to the legal and policial ramifications it will cause it may be unlikely that the court does find the attacks to be an act of war.

  16. Adrian 4
    Big Brother

    We are at war with Eastasia. We have always been at war with Eastasia.

  17. skwdenyer

    Not sure why Mondelez doesn’t also sue the NSA under the Federal Torts Claims Act?

  18. Alan Brown Silver badge

    The only real surprise

    Is that this rejection clause hasn't been used up until now.

    Due diligence should certainly be being used more often by underwriters as cause for rejection - and failing to apply critical patches (with subsequent damages or ICO fines(*)) would almost certainly be grounds to invalidate cover.

    (*) Don't forget that the ICO whacked BA with massive fines only partially due to the hack and mostly due to the massively shonky website security they found when they inspected it - again, due diligence matters and what the ICO found would have been enough for the underwriters to tear up the liability policy. BA then trying to minimise it by saying "noone got their cards tapped" - which was clearly provable false - should have resulted in a recall, re-examination and further fines added. In a lot of countries that press release would have resulted in an automatic tripling of the fine.

  19. EnviableOne

    Mondelez are claiming for the devices Borked by Nyetia, not anything to do with the data so ICO/other data protection agencies are not involved

    The issue is wether Zurich can prove beyond a reasonable doubt (very hard with cyber attribution) that the Act was by a "government or sovereign power; the military, naval, or air force; or agent or authority"

    I can see Zurich being sent home with their tales between their legs

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like