Insurance is a funny business. Life insurance, for example, is essentially betting someone you will die before your time. With the recent focus on companies getting hacked, it isn’t surprising that cybersecurity insurance is now big business. Get hacked and get paid. Maybe.
The reason I say maybe is because of the recent court battle between Zurich and Mondelez. Never heard of them? Zurich is a big insurance company and Mondelez owns brands like Nabisco, Oreo, and Trident chewing gum, among others.
It all started with the NotPetya ransomware attack in June of 2017. Mondelez is claiming it lost over $100 million dollars because of the incident. But no problem! They have insurance. If they can get the claim paid by Zurich, that is. Let’s dig in and try to see how this will all shake out.
That’s a Lot of Money
By anyone’s standards, $100 million is a pretty big wad of cash. Apparently, Mondelez uses Windows-based software for shipping and order fulfillment. By adding up property damage (lost hard drives, perhaps), supply and distribution disruption, customer order loss they came up with the $100 million figure.
You might argue if that number is really accurate. Hard drives could be reformatted, but then again that takes time so in the age of $80 hard drives, does that really make sense? If a supermarket got Oreos a week late, was that really more than an inconvenience? Were there penalties in their contracts with the customers or are they assuming that a huge number of store-brand cookies were sold when the Oreos ran out? We don’t know.
However, even if you deflated the estimate by an order of magnitude, you are still talking about a $10 million dollar loss. Not small change. Having lived through some major cyberattacks, I can tell you just the time spent in meetings between IT, executives, and lawyers can add up pretty quickly.
As you can probably guess, Zurich isn’t wanting to pay the claim. Insurance companies have a reputation for being happier to take your payments than they are paying your claim, and things like this are why. On the other hand, insurance companies have a fiduciary responsibility to their other customers and their shareholders to not pay out any more than they have to, and we get that too. So other than the “We didn’t know you’d ask for $100 million dollars!” defense, how can Zurich not pay if they agreed to underwrite Mondelez against cyberattacks?
Many insurance policies have a clause in them that excludes things like acts of God and acts of war. Well, the technical term is “force majeure” but it covers things like earthquakes and other natural disasters. The theory is if a tornado comes and destroys 100s of cars it would be a burden on the insurance company to replace them all, so they’d have to charge you more. Since you don’t think that’s likely, you’ll take the force majeure exclusion and save a bit.
If you have a homeowner’s policy, you probably don’t want a force majeure exclusion. However, in the United States, you have to get an exclusion for flooding — the flood insurance is available through the government. In some areas prone to things like hurricanes, that will also be excluded and you’ll have to get a separate policy (usually issued by the local government) to cover that.
The act of war is a bit trickier. The logic is the same. If an army marches through your town and burns everything to the ground — or a nuke does the job remotely — the company would be on the hook for so much that they would have to raise premiums quite a bit. In the United States, though, the chances of that seem so slim that no one usually minds. If a nuke hits your house, you probably aren’t going to care anymore anyway.
As usual, though, trying to apply old ideas to new technology causes problems. If a guy runs a truck into your house, that’s usually very clear it wasn’t an act of war. Of course, if that guy was a member of the Ejército Nacional de la República Bolivariana de Venezuela (that is, the Venezuelan army) and he’s just visiting his brother in your town, the insurance company could try to claim it was covered under the act of war exclusion, although we would bet you could win that easily in court, so they probably wouldn’t.
According to media reports, the exact language in the insurance policy covers “hostile or warlike action in time of peace or war” and includes any agent of any government (including a de facto government) or military force. So while the Captain on vacation driving his truck into your house is probably going to pay out, if the National Guard accidentally sends an RPG into your camper, you’ll have to take that up with them.
The problem is, in a world where the battlefield is the Internet, how does this apply. There is a lot of evidence that NotPetya was state-sponsored by Russia and targeted Ukraine. The fact that it spread globally may even have been a mistake. Russia, of course, denies this.
Not being a lawyer or an insurance expert, this whole thing made me think. If you are buying cybersecurity insurance, maybe you don’t want an act of war exclusion. That’s going to drive up costs, but nearly any widespread cyberattack from another country could be argued as an act of war. Especially since in so many cases, these acts are perpetrated by persons unknown. Did the Russians create NotPetya? Did they deploy it? Did they hire some hacker group to do it for them? Does that matter? What if a hacker did it and then says they were paid by some government? How would you ever prove one way or the other?
Or do you take the money you’d pay for insurance and pour it into better defenses? That would make sense except for one thing. In the modern world, the weakest part of your defense is usually people. People fall for phishing schemes. People write down passwords on sticky notes. People send their passwords in plain e-mails and use 1234 as PIN numbers. All the technical measures in the world won’t solve stupid. So while you can minimize problems, you can’t get to zero cyber incidents any more than you can get to zero car accidents as long as you let people drive cars.
Still, it makes you wonder why you would accept an act of war exclusion in a policy like this. Regardless of the actual cause of NotPetya, it is certainly easy to imagine a government launching a cyberattack. In fact, given the level of sophistication it takes to launch a major attack, it is almost more likely to be state-sponsored.
While this is a hack in the sense that many people use the word, it isn’t one in our lexicon. However, Hackaday readers tend to be sources of technical information for their families, friends, and communities. We’ve seen how technology has impacted laws and customs over the years ranging from intellectual property to expectations of privacy.
One test I like to apply is what would happen if you took the tech aspect out of it. After all, there is no new cybercrime. Just old fashioned crime on the Internet. People have impersonated other people, run confidence games, and held things for ransom for centuries. It is just faster and easier on the Internet.
I’m not sure what the final answer is, at least not with the Internet the way it is today. However, I am willing to bet that whatever happens, some of our kind of hackers will be involved in the solution.