Cybersecurity And Insurance

Insurance is a funny business. Life insurance, for example, is essentially betting someone you will die before your time. With the recent focus on companies getting hacked, it isn’t surprising that cybersecurity insurance is now big business. Get hacked and get paid. Maybe.

The reason I say maybe is because of the recent court battle between Zurich and Mondelez. Never heard of them? Zurich is a big insurance company and Mondelez owns brands like Nabisco, Oreo, and Trident chewing gum, among others.

It all started with the NotPetya ransomware attack in June of 2017. Mondelez is claiming it lost over $100 million dollars because of the incident. But no problem! They have insurance. If they can get the claim paid by Zurich, that is. Let’s dig in and try to see how this will all shake out.

That’s a Lot of Money

By anyone’s standards, $100 million is a pretty big wad of cash. Apparently, Mondelez uses Windows-based software for shipping and order fulfillment. By adding up property damage (lost hard drives, perhaps), supply and distribution disruption, customer order loss they came up with the $100 million figure.

You might argue if that number is really accurate. Hard drives could be reformatted, but then again that takes time so in the age of $80 hard drives, does that really make sense? If a supermarket got Oreos a week late, was that really more than an inconvenience? Were there penalties in their contracts with the customers or are they assuming that a huge number of store-brand cookies were sold when the Oreos ran out? We don’t know.

However, even if you deflated the estimate by an order of magnitude, you are still talking about a $10 million dollar loss. Not small change. Having lived through some major cyberattacks, I can tell you just the time spent in meetings between IT, executives, and lawyers can add up pretty quickly.

Loophole

As you can probably guess, Zurich isn’t wanting to pay the claim. Insurance companies have a reputation for being happier to take your payments than they are paying your claim, and things like this are why. On the other hand, insurance companies have a fiduciary responsibility to their other customers and their shareholders to not pay out any more than they have to, and we get that too. So other than the “We didn’t know you’d ask for $100 million dollars!” defense, how can Zurich not pay if they agreed to underwrite Mondelez against cyberattacks?

Many insurance policies have a clause in them that excludes things like acts of God and acts of war. Well, the technical term is “force majeure” but it covers things like earthquakes and other natural disasters. The theory is if a tornado comes and destroys 100s of cars it would be a burden on the insurance company to replace them all, so they’d have to charge you more. Since you don’t think that’s likely, you’ll take the force majeure exclusion and save a bit.

If you have a homeowner’s policy, you probably don’t want a force majeure exclusion. However, in the United States, you have to get an exclusion for flooding — the flood insurance is available through the government. In some areas prone to things like hurricanes, that will also be excluded and you’ll have to get a separate policy (usually issued by the local government) to cover that.

The act of war is a bit trickier. The logic is the same. If an army marches through your town and burns everything to the ground — or a nuke does the job remotely — the company would be on the hook for so much that they would have to raise premiums quite a bit. In the United States, though, the chances of that seem so slim that no one usually minds. If a nuke hits your house, you probably aren’t going to care anymore anyway.

State Sponsored

As usual, though, trying to apply old ideas to new technology causes problems. If a guy runs a truck into your house, that’s usually very clear it wasn’t an act of war. Of course, if that guy was a member of the Ejército Nacional de la República Bolivariana de Venezuela (that is, the Venezuelan army) and he’s just visiting his brother in your town, the insurance company could try to claim it was covered under the act of war exclusion, although we would bet you could win that easily in court, so they probably wouldn’t.

According to media reports, the exact language in the insurance policy covers “hostile or warlike action in time of peace or war” and includes any agent of any government (including a de facto government) or military force. So while the Captain on vacation driving his truck into your house is probably going to pay out, if the National Guard accidentally sends an RPG into your camper, you’ll have to take that up with them.

The problem is, in a world where the battlefield is the Internet, how does this apply? There is a lot of evidence that NotPetya was state-sponsored by Russia and targeted Ukraine. The fact that it spread globally may even have been a mistake. Russia, of course, denies this.

Lesson Learned

Not being a lawyer or an insurance expert, this whole thing made me think. If you are buying cybersecurity insurance, maybe you don’t want an act of war exclusion. That’s going to drive up costs, but nearly any widespread cyberattack from another country could be argued as an act of war. Especially since in so many cases, these acts are perpetrated by persons unknown. Did the Russians create NotPetya? Did they deploy it? Did they hire some hacker group to do it for them? Does that matter? What if a hacker did it and then says they were paid by some government? How would you ever prove one way or the other?

Or do you take the money you’d pay for insurance and pour it into better defenses? That would make sense except for one thing. In the modern world, the weakest part of your defense is usually people. People fall for phishing schemes. People write down passwords on sticky notes. People send their passwords in plain e-mails and use 1234 as PIN numbers. All the technical measures in the world won’t solve stupid. So while you can minimize problems, you can’t get to zero cyber incidents any more than you can get to zero car accidents as long as you let people drive cars.

Still, it makes you wonder why you would accept an act of war exclusion in a policy like this. Regardless of the actual cause of NotPetya, it is certainly easy to imagine a government launching a cyberattack. In fact, given the level of sophistication it takes to launch a major attack, it is almost more likely to be state-sponsored.

New Frontiers

While this is a hack in the sense that many people use the word, it isn’t one in our lexicon. However, Hackaday readers tend to be sources of technical information for their families, friends, and communities. We’ve seen how technology has impacted laws and customs over the years ranging from intellectual property to expectations of privacy.

One test I like to apply is what would happen if you took the tech aspect out of it. After all, there is no new cybercrime. Just old fashioned crime on the Internet. People have impersonated other people, run confidence games, and held things for ransom for centuries. It is just faster and easier on the Internet.

I’m not sure what the final answer is, at least not with the Internet the way it is today. However, I am willing to bet that whatever happens, some of our kind of hackers will be involved in the solution.

45 thoughts on “Cybersecurity And Insurance

  1. Ah yes, the “a hard drive only costs $80!”. Plus the cost of (weekend, 24×7, holiday) labor to locate all the systems, pull the hard drive and reinstall the hard drive, then recover from backu…oh right, backups are really expensive across 10,000 systems. You have backups for maybe 500. So now you have to reinstall the OS and find the software that was lost. Assuming you still have the original media/downloads and license keys. If you don’t then you have to go searching the Internet and discover that the company you originally bought from was purchased by another company and all evidence of the original software is now gone so the only place you can get the software are sites that end in .ru or .cn and that’s not going to happen. So now you need to find software/hardware that does the same thing, and that’s not cheap. In the meantime, all the employees that would be using that equipment is now sitting idle because they have nothing to do and not only are you spending money on that, you’re not producing anything to sell.

    I may or may not have been involved in recovery for another company that was hit with a cyberattack. They were paid by their insurance company.

      1. Desktops? Sure, those were rebuilt somewhat quickly. The other systems I’m referring to go into specialized areas and are a crazy mix of hardware/OS/custom software. No consistency at all to them.

    1. And I can imagine an insurance policy that will deny any claim where reasonable precautions like good backups and license keystores are not used because you did not mitigate your damages.

  2. I hope your article inspires thoughtful responses toward improved cybersecurity.
    Yes, the human element is the biggest avenue for security breaches, I’ve fallen for some myself.
    (not that I’ve had a virus lock up my PC, or a major violation of my (non-existent) privacy), but I am “behind the curve” when it comes to diligently/pro-actively protecting my interests.)

    1. There’s always becoming a hermit. No information to take. No money to swipe. Just your life, and so far “cyber” hasn’t figured out a way to take that. Renting a drone for that kind of work.

      Far as security, there the “safety in numbers”, except as spam has demonstrated with the push of a button, everyone’s a victim.

      1. “become a hermit” is not a very good option if you have family. The surest way to rot in hell forever is to “become a hermit” and die unexpectedly, leaving your loved ones to clean up after you.

  3. I’d be curious to know how the consultancy side of insurance ends up being involved in ‘cybersecurity’ insurance.

    I don’t doubt that you’ll be able to buy ‘unconditional’ ‘cybersecurity’ insurance; if you are willing to pay enough and the maximum payout is capped; underwriting such insurance is pretty much gambling, but the financial sector seems to be OK with that, if the odds are right.

    More interesting, though, is the notion of ‘cybersecurity’ insurance where the arrangement is more along the lines of hiring a consultant to tell you what you need to fix; but with the added incentive on the customer side that you aren’t eligible for payout in the event of an incident if you haven’t fixed stuff, and on the consultant side that you are on the hook for (significant) payouts if the client takes your advice and still gets owned.

    As a consumer-level purchaser of insurance I’m…deeply unsympathetic…to the endlessly creative efforts of insurers to weasel out of paying up; but I suspect that most realistic ‘cybersecurity’ insurance arrangements will have to be conditional: “we’re just going to keep doing what we do, pay us if we get owned” is not an attractive underwriting opportunity; while “we are buzzword compliant security consultants!” is an area of business likely to be considerably more honest and useful if there is actually a painful cost of failure.

    1. Insurance may do for security what it’s done for fire. Motivating people through greed, both the payer, and the payee, especially since “greater good” has a low success rate, and usually requires force, implicit though it may be.

  4. IANAL but I don’t think an insurance company is to decide what is and what isn’t an act of war. Wars happen between countries. So if one country takes an action against another, it is the latter’s to decide if it was an act of war or not. If the US government (or parliament) didn’t declare a war against Russia after NotPetya, then an insurance company as well as a judge shouldn’t either. Act of terror is IMHO the best the company can get in court.

    1. From the article it seems that the insurance company, in typical style, worded things vaguely enough to include hostile or warlike acts without an actual declaration of war. That’s how they try to weasel out of the claim. Law isn’t always about logic, but even with the vague wording it seems to mean the insurance company has to prove there’s a government agent or government-like perpetrator in this case. There may be evidence suggesting there is, but it seems they need to actually prove it. Considering the nature of the game, even the actual experts have much trouble doing this, which is why I suspect their arguments will be thrown out. But hey, from their perspective it can’t hurt to try.

      1. Law is most surely always about logic, vague wording is always intentional. If you sign a contract with vague wording then you have only yourself to blame for your lack of satisfaction. Golly you didn’t consider the added court costs associated with suing the insurer when you bought that cut-rate policy on a whim? Blame the experts!

  5. It seems to me that paying for cybersecurity insurance is more like an admission that you aren’t properly securing your systems or have proper backup strategies in place. Don’t get me wrong, proper security is expensive but this seems like a monetary shortcut for IT that instead relies on an existing infrastructure of lawyers.

    1. No it is risk management. By analogy, buying car insurance isn’t an admission that you are a dangerous driver. You can’t tell a fleet manager, you can’t have any wrecks in the fleet. Wrecks happen despite our best measures to prevent. Cyber is the same way. ESPECIALLY because all your stuff goes out the window with one stupid person or one person who is compromised because they don’t want people to know they surf hamster videos on YouTube or whatever.

      Even the much vaulted two-key has been handled by asking someone for their password and then asking them for their two factor key. Sure, it takes two levels of phishing, but still. Hardware keys are better, but still subject to compromise. Also, there’s the “inside actor” threat that everyone worries about. You can’t easily protect against that, either.

    2. “It seems to me that paying for cybersecurity insurance is more like an admission that you aren’t properly securing your systems”…

      This is most definitely not the case. You can follow ***ALL*** security protocols in place to date and tomorrow some hacker will find a loophole and get through ***BEFORE*** the security protocols have been updated to cope with the loophole. The unforeseen is what you are paying to guard against. You can guarantee that the policy will be very strict about what security measures the policy holder has to observe in order to receive cover. They will probably have to put additional procedures in place just to be eligible for the policy.

      1. You are 100% correct. There are best practices, and there are also almost always unavoidable user compliance issues. It is a much harder seat to sit in that it is to armchair quarterback. It is much easier watching one or two home machines than thousands of machines in a companies domain. Simple things like windows updates need to be vetted to ensure they do not interfere with corporate standard software for example. And updates on servers and networking gear need do be done around people requiring them, which can be very challenging. It is interesting, but one number I never see people float is the annual cost (outside of the IT budget) for patches and upgrades in terms of system downtime and work loss.

        1. ” It is interesting, but one number I never see people float is the annual cost (outside of the IT budget) for patches and upgrades in terms of system downtime and work loss.”

          Bookkeeping costs money.

  6. “That would make sense except for one thing. In the modern world, the weakest part of your defense is usually people.”

    Connecting to a global network is usually like that*. At least back in the days of walls and moats someone really had to work hard at taking your treasure.

    *No one seems to ask if they should in the first place. It’s always assumed, “we can” constitutes “we should”.

  7. Seems like the Russians get scapegoated for a lot of things. If their government is so involved, I would think they’d be very hard to catch in the act, with all their experience. Now, I can see private citizens, college kids, doing a lot of this stuff, for fun and profit.

    I’ve always disliked all insurance, anxious to get your money, sell you coverage you don’t need, policies worded, so you need a lawyer (not a fan) to interpret it, theou have to fight to id, if you need to file a claim. Most of the time, it seem like insurance encourage people to be reckless and irresponsible. They just don’t care, their covered, they paid their premium, entitled to not be responsible.

    $100 million might not be all that inflated, since their business computer was breached, whether or not an records were stolen, the would still be expected to contact each person effected, possibly offer some sort of credit/identity monitoring. My bank had an issue, the offered credit monitoring through Experian, which was only a few months after they got breach. I passed on that offer, besides, I don’t use credit, so my score is about as low as they go, who want to use my ID? After I paid off my house, I found I was making way more than I spend, no trouble paying cash. Credit is just more people putting their grubby hands in your cookie jar, just begging to catch something…

    1. ” After I paid off my house, I found I was making way more than I spend, no trouble paying cash. Credit is just more people putting their grubby hands in your cookie jar, just begging to catch something…”

      Saving naturally, but really money in motion (hiding it in mattresses doesn’t work) is how one becomes rich. Credit is a tool towards that goal.

      1. but one does not need to be rich .. The more you have the more other people want to take it away.

        Amass great amounts of wealth and than the kids fight over it and then only the solicitors get anything out it

      2. Depends on how you measure ‘wealth’, what you value most. I value the reduced stress, of having no debts, and few bills to sit down and pay every month. I have plenty of hobbies, balancing the books isn’t one of them. Credit is work, you want more credit, you have to use it, and be careful about how. I did have credit cards and loans when I was younger, just figured I could do as well, without it. Paying off my house, made it possible to pay off all my debt. It was like getting a huge raise, don’t have to work to save up for anything, not paycheck-paycheck at times. That is what I value, my wealth. Money is the root of all evil, or so they say. You can’t take it with you, and leaving it behind tends to cause more trouble, for those it’s given. Kids the inherit a lot of money, tend to be more social, meaning they drink, take drugs, the cash-cow for addicts. They buy all the cool things they always wanted, end up losing them. Eventually, they have to earn money for themselves, and no experience on how to do that, and it’s tough too. I will leave a little behind, to remember me by, but think everyone needs to make their own journey through life, earn their own experiences.

    2. Using credit wisely is one of the best things in this country. I have had credit cards for many decades now. I have never paid interest. I can buy products from around the world. If I have a problem with the transaction the credit card company has my back. My card also gives me cash back. This adds up and every few years that becomes a new toy. I also have assorted protections. Loss and theft protection. They double most warranties. I think they still have price protection as well, though I have not used that. I have used the other features. There is some paperwork to go through, but it is worth it. You have none of these features with cash.

      I am not dissing cash. Cash has it’s place too. If you want to buy something on CL for less than asked, showing up with a big ol wad of $20’s makes it hard to say no to for a lot of sellers. But you as a buyer have no protections on that transaction.

      Cash and credit are not mutually exclusive and the smart use of credit has a lot of upsides.

    3. It doesn’t matter if you don’t use credit. The point of the credit monitoring is that someone else may take out credit in your name, leaving you liable for it when they run. Monitoring means if someone takes out credit you can immediately say “that’s not me!”

    1. I was thinking the same. A lot of petty crimes don’t get investigated by the police–they don’t really care and even though they get all the credit for defending society they deserve almost none of it–it’s the insurance companies which do the job most of the time. Gotta try and reduce future claims.

      Maybe once some cyberattack insurance firms get big and competitive enough they’ll be the ones to finally keep security up to snuff with all these companies these days who never give a single shit until it’s too late, And then never face consequences anyway. Doesn’t seem ideal, but somebody’s got to do something, These breaches ain’t cheap.

    1. An insurance company is like a casino… the odds always favour the house. So on average you will give them more than they give you. Yes there will be the occasional seemingly big winner but when you consider the real cost of the payout (e.g. death of spouse, loss of home and contents, loss of income etc) what has the big winner really gained.

  8. While I see others have covered the “was war declared” side; I wonder if the insurance company would not need to prove this was a “war-like act” verses what is now “modern violence” in technology.

    Twenty years ago? Attacks like this would have been obviously state-sponsored. But that was in the era of naming an self-propagating email after a stripper. Now, “do it for the lulz” includes not just finding an open SMTP and sending an email from god@heaven (my personal favorite when someone told me “email isn’t hackable like that”) but has branched out to stealing cryptocurrency wallets, and phreaking in to FBI telephone calls.

    Who defines “act of war*” when half of the trolls are at war** with the other half at any given time?

    *nation states
    **lulz

    1. > email isn’t hackable like that
      I was surprised when a client told me they were going to e-sign and that it was “totally secure.” I asked them how they authenticate it is me. They said, “Well, you get a link in your e-mail and only you can click it.” I said, “What if someone hacks my e-mail?” “No, the link is only for you. It won’t work for anyone else?”

      Me: How does that work?
      Them: I don’t know, but it does.
      Me: Ok can you generate a document for Joe, and have Joe forward the sign link to me and if I can’t sign it, I will be impressed and shut up.
      Them: Sure. Here Joe.
      Joe: Here’s my link.
      Me: Signed as Joe.
      Them. Uh….

      So they asked me to call the e-sign vendor who became very angry and told me they were used by the military (as if that actually meant something). As a result, the client decided to not use e-sign for things that exceeded the amount they could claim on insurance.

      By the way, e-sign can work. Last few times I’ve bought a car, I had to verify obscure banking information to prove my identity. I am really impressed with the algorithm, because it will say something like:

      In 1993 which car did you purchase?
      A 1992 Honda Accord
      A 1976 Gremlin
      A 1980 Ford F-100

      So the reason I am impressed is it must know you don’t remember exactly so it has to get the other two choices to be wildly off. I mean if it said:
      A 1980 Ford F-100
      A 1981 Ford F-100
      A 1980 Ford F-100X

      You would have to think… um…. I am not sure…. The right thing, of course, is to issue a real cert to people like the military actually does with a CAC card.

        1. I was going to be soooo disappointed if someone didn’t say it. I actually first put AMC Gremlins and a Pacer in there but I couldn’t remember the years for those either.

  9. My mom has dementia and a flip phone. It quit working the other day and even though she doesn’t recall, it appears to have gotten submerged in water. So I bought another one for $44. Amazon asked me if I wanted the extra warranty. I usually skip those but I thought — maybe a good idea. So that was $11 with an option to cancel in 30 days. They send the documents and it has a $25 deductible. So my math says… $11+25 = 36 so if I need to buy another $44 phone I get it for free… hmm…. canceled.

    (well this was in reply to the comment about the casino but I flubbed it somehow).

  10. When I speak to people who have had past cyber insurance claims denied, it’s usually because the insurance company found the company failed to have an active cybersecurity strategy or weak defense. Too many companies, particularly SMBs, think that having cyber insurance and antivirus is enough, which is why “60% of SMBs fold within 6 months of a cyber attack”. (Vistage Research Center 2018) Many business owners blindly purchase cyber insurance and don’t get into the details of inclusions/exceptions. As a side note, I briefly/vaguely mentioned the “Act of War” clause in a Medium article yesterday. Great post. B

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.