Cyberlaw wonks squint at NotPetya insurance smackdown: Should 'war exclusion' clauses apply to network hacks? The defining feature of cyberwarfare is the fact that both the weapon and the target is the network itself. In June 2017, the notorious file-scrambling software nasty NotPetya caused global havoc that affected government agencies, power suppliers, healthcare providers and big biz. The ransomware sought out vulnerabilities and …
That is how most insurance companies work.
Many years ago I spent some time at a large UK insurance outfit [think: nodding dog]. They had 2 floors where people earned commission: sales, well that I expected; claims - as understood it part of their commission was on how much less they could persuade claimants to accept as settlement, these people where experts up against insurance novices (like you & me) and convinced large numbers to agree less than they rightfully should have had.
The job is Loss Adjustment, i e. finding a way of reducing pay outs.
All insurance companies are weasels, having wirked a little in the Industry, I would describe them as very similar to casinos where the numbers always favour the house except for that odd occasion where a winner breaks the bank.
Then they change the rules so that it can never happen again.
A good few years ago a mate was getting into photography in a big way and spent loads of money on cameras and gear.
He called his insurance company (on the phone) and added "valuable items in transit" cover.
When his car was broken into and his gear stolen the insurance co. refused the claim - because he couldn't prove he was transporting his high value items to or from a safety deposit box, as specified in the small print.
be that a formal war or guerilla warfare.
It would make organisations take security seriously. Currently they can pay lip service knowing that insurance will pick up the tab. This can be thought cheaper than doing a proper job.
It should also lead to choosing business platforms that are less prone to such attacks (I'm looking at you Microsoft) and better staff training.
Also: in many cases the real people affected are not compensated: if a customer's data is exfiltrated and sold to the highest bidder it can hurt. Most customers suffer little ill effect, some are hit hard - it is difficult to tie one person's woes back to a particular organisation's cyber attack.
If it is not found to be an act of war: then expect more insurance companies to add this sort of thing to the list of exclusion clauses.
The interesting nature of the case highlights how a cyber attack can have many different effects and legal implications.
Whilst for companies and from a consumer protection perspective it may be attractive for the court to rule in favour of there being an act of war.
However, from the international law perspective extending the traditional boundaries regulation hostilities and warfare could be detrimental. To date, States have not affirmed that any cyber-attacks have reached the level of cyberwarfare. Attribution within international law is extremely challenging in the cyber domain and more often portray political agendas. Therefore, from an international legal perspective, it would not be surprising if the attack is not found to be an act of war.
so doesn't anyone here recall the Jerusalem virus then
it was before my time [1987 IIRC] but it was a classic, and could still, I imagine, give some systems a kicking if it ever gets an 'upgrade'
https://en.wikipedia.org/wiki/Jerusalem_(computer_virus)
I do ... I improved it and released it into the wild.
My version had no payload (I'm not a moron) but simply infected all .COM files on a computer and when it could no longer find any, it quietly *un*infected them again until the machine was clean. By which time (hopefully) it had spread.
It was part of a Proof Of Concept that you could create a 2-part virus, with each part harmless, until combined on the same machine.
Whether anyone took up my baton, I can't say. the absence of any reports of malware working that way today suggests not.
Zurich has spent a lot of time stating that it has a cyber insurance policy which Mondelez did not purchase, instead claiming the damage it suffered from NotPetya against a property insurance policy. The "physical loss or damage" clause and how that's interpreted is key, no?
Also, a lot of cyber insurance policies will be the requirement on companies to keep their systems patched - and Microsoft had issued a patch for the SMB vulnerability months before. Surely it can't be that Mondelez (revenue $25bn) claims it had exercised due diligence?
"all risks of physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."
Sorry, but that sounds like Cyber insurance to me. And Zurich haven't tried the "due diligence" getout, but went for the "act of war" excuse. So that's what we're discussing.
Mondelez isn't claiming for damage "to electronic data, programs, or software" though, it's claiming for damage to "electronic data processing equipment or media" as the complaint states in paragraph eight. It is certainly a matter of interpretation. And it isn't cyber insurance because Zurich has a specific policy for that which would probably have required Mondelez to patch in a reasonable amount of time.
Who cares about what some treaty says about war?
As far as the insurance policy goes, the wording (as quoted in the article) is: "hostile or warlike action in time of peace or war" by "government or sovereign power; the military, naval, or air force; or agent or authority"
The relevant bit is: "hostile ... action ..." by "government or sovereign power; the military, naval, or air force; or agent or authority".
This was clearly a hostile action. Assuming the attack can be pinned on Russia, their armed forces or their agents, then the policy exclusion applies, and the insurer won't have to pay.
Arguing over whether it's "warlike" misses the point. Arguing over whether some other treaty means also completely misses the point. The contract means what it says.
If the insurer had wanted to exclude "armed conflict as defined under International Humanitarian Law" then they could have said that in the contract, but they didn't. They deliberately made the choice to have a much wider exclusion, and their customer accepted that.
"Assuming the attack can be pinned on Russia" is a big assumption, especially considering that Russian companies were hit by NotPetya as well. Yes of course the US & UK have pointed the finger at Russia but that's hardly unexpected. Had it been this week the Iranians would've been fingered.
Yes it certainly seems to have been a "hostile act", as it seems to just have been destructive. That in itself is a bit weird for a nation-state-sponsored attack. What would be the point? That feels more like non-state action to me.
However of course there is always the cock-up vs conspiracy angle. Fuck-up with the ransomware part perhaps (non-state)?? Fuck-up with it getting loose way beyond its target perhaps (state)??
So, pass the popcorn please...
Whilst the case itself does concern a contractual dispute, the journal wanted to highlight how within the domestic or international legal field many terms are used to describe 'cyber-attacks', 'cyber hostilities' and also 'cyber warfare'. Often the terms are used interchangeably by different actors as there is currently no consensus surrounding definitions.
With regards to the International Humanitarian Law aspect, the journal portrays the significant change within modern warfare and also how the lines of conflict and hostilities are being blurred beyond the parameters of traditional regulation. Where a range of actors, such as private companies and other Non-State Actors are affected by cyber-attacks. It reflects the current legal hurdles both States and private companies face in protecting and responding to cyber-attacks - where currently there are no clear cut answers in the international legal framework.
To date, States have been reluctant to define cyber warfare, therefore the courts ruling may provide insight into further understanding at the international level and also bring together understanding from different legal regimes and also different fields that attempt to regualte cyber issues.
"If Zurich's approach is successful, it could also lead to a loss of confidence in cyber insurance as an investment – ironically devaluing Zurich's product."
Even more ironically it might mean ransomware doing less damage as businesses realise they have to protect themselves instead of just relying on insurance.
$76 million sounds like a lot under a regular policy. Most policies start hiving things off to reinsurers at about £10,000,000. At which point the insurer has done their job (and accepted the claim) and it's the re-insurer that stands to lose. Hence they fight harder.
Have to be AC for this, but I worked for the company that insured the car driven by the gentleman who drifted off the road (literally) and crashed an intercity - killing some. That burst through the £10,000,000 policy in no time (you'd be amazed how expensive trains are - far more than peoples lives) and the re-insurer went all the way to the high court to try and wriggle out of it.
(They failed by the way - the court held that Network Rail could not be held liable for something as unexpected as a car coming off the road where it did ....)
"(They failed by the way - the court held that Network Rail could not be held liable for something as unexpected as a car coming off the road where it did ....)"
...and the renewal premium probably went up massively so I guess that's why Network Rail spent millions putting new stronger barriers along the roads wherever a road bridged a railway line to bring it back down again by demonstrating the extra safety measures.
It's the usual response which normally gets blamed on "'elf'n'safety" when the reality is it's usually the insurance companies forcing people to spend more to minimise the risk, sometimes beyond economic viability.
I think the hardest part for Zurich is going to be to prove Russia's state involvement. At least to the standards of evidence that a court of law requires. It's one thing for the US government to say they "think" Russia was involved, but where does Zurich think they are going to get documented evidence that shows direct control by Russia's government and that meets "the preponderance of evidence" requirement of a civil court?
Cyber insurance policies can reject claims for all Cyber attacks because Government Agencies tell us all Cyber attacks are state sponsored by baddies (usually supposedly "technologically advanced" countries like Iran or North Korea [total coincidence that we're against them for other reasons], but not China [because we're really scared of them]).
I also agree - identifying and proving Russia's State involvement will be complex.
Attributing a cyber attack to any State or private entity is a notorious challenge in cyberspace and often very political in nature within international law. This may be why States have not found that cyber-attacks/cyber wars to have reached the thresholds to date. Whilst then allowing States may then use cyber means in their favour to continue without facing a legal burden. The court proceedings and the outcome will be highly awaited.
This post has been deleted by its author
“The defining feature of cyberwarfare is the fact that both the weapon and the target is the network itself.”
With all due respect I must beg to differ. That would be like blaming the highway for car crashes. In actuality, the defining targets are the computing systems connected at either end.
Depends on how you define network. A switch is simultaneously part of the network, and one of the targeted computing systems plugged in at either end.
In many (most?) contexts, the network 'begins' at whatever pipe you have to the internet. From that point in, there is at least the *possibility* of some control.
This post has been deleted by its author
If this is accepted by the court as an act of war, that impress that we are constantly on a state of conflict; permanently at war.
How do you think the military industrial complex (using that term despite the risk of everyone thinking I'm wearing a tinfoil hat) will respond to that? How will governments respond to that?
Do I get paid a combat allowance?
The case itself does raise many questions and highlights how there is no clear cut position between 'cyberwar' and 'cyber peace'.
States themselves have been reluctant to define any acts as meeting the threshold for war. Which could be due to the complexities of the regulation which would then become applicable to the situations. As it can be seen in the article cyber activities do push the boundaries of the traditional regulation.
A further problem you highlighted is in regard to States/governments and how to respond. Most cyber activities are deemed below the threshold therefore with regard to an international legal response; countermeasures are becoming the most suitable response, although they are not without their legal burdens. However, with the involvement of private eneities, and this case directly this position is only challenged further. Therefore, due to the legal and policial ramifications it will cause it may be unlikely that the court does find the attacks to be an act of war.
Is that this rejection clause hasn't been used up until now.
Due diligence should certainly be being used more often by underwriters as cause for rejection - and failing to apply critical patches (with subsequent damages or ICO fines(*)) would almost certainly be grounds to invalidate cover.
(*) Don't forget that the ICO whacked BA with massive fines only partially due to the hack and mostly due to the massively shonky website security they found when they inspected it - again, due diligence matters and what the ICO found would have been enough for the underwriters to tear up the liability policy. BA then trying to minimise it by saying "noone got their cards tapped" - which was clearly provable false - should have resulted in a recall, re-examination and further fines added. In a lot of countries that press release would have resulted in an automatic tripling of the fine.
Mondelez are claiming for the devices Borked by Nyetia, not anything to do with the data so ICO/other data protection agencies are not involved
The issue is wether Zurich can prove beyond a reasonable doubt (very hard with cyber attribution) that the Act was by a "government or sovereign power; the military, naval, or air force; or agent or authority"
I can see Zurich being sent home with their tales between their legs
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
