Lloyd’s of London has released four new Cyber War and Cyber Operation Exclusion Clauses. Insurers have been quickly adapting to the rapidly changing cyber landscape. What was initially a very profitable line of business quickly became unsustainable as attacks and claims increased. The industry responded in several ways: reducing coverage, raising prices and increasing requirements for cover. These exclusion clauses are the next step for the industry trying to balance exposure and demand.
The process of attributing a ransomware attack to a perpetrator remains murky, but the new exclusions mean business leaders can no longer rely on insurance companies to bail them out. They must take control of ransomware situations themselves.
Mondelez vs. Zurich
Insurance exclusions for acts of war are common. There are, however, some difficulties in applying these exclusions in the cyber world.
In 2017, NotPetya was aimed (not very carefully) at Ukraine, but it had a massive impact on companies worldwide. Mondelez was hit and claimed on its insurance. Its insurer Zurich refused to payout based on the “war exclusion” clause in its policies.
This is now a legal battle between Mondelez and Zurich. The central issue is whether NotPetya qualified as an act of war.
The new clauses from Lloyd’s favor the insurers with broader definitions of cyber activities that can be excluded from coverage.
An Act of War or Just ‘Cyber Operations’?
There is a lot going on between nation-states that doesn’t qualify as “war.” We are not quite in a cyber-cold war, but there’s undoubtedly a cold-skirmish or two happening and plenty of cold-jostling. Occasionally, that spills over and affects organizations who want to claim their cyber insurance (as with NotPetya).
These new clauses go beyond ‘acts of war’ to include “cyber operations” attributed to a state or “those acting on its behalf.” The parameters for a payout are narrowing, shifting the emphasis for protecting data onto the victims.
The Challenge of Attribution
It’s not always clear who was responsible for an attack. The onus in these clauses is on the government of the claimant to attribute responsibility. Identifying the attackers isn’t simple. There is understandably a lot of deception in cyber warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations.
Even if a government can identify the attacker, they may have reasons not to publicly attribute responsibility. Naming and shaming is a tool in the international diplomacy toolbox and will be used (or not) for political purposes. Governments probably aren’t thinking about the impact on insurers when they make these decisions.
If a government doesn’t attribute it, or it “takes an unreasonable length of time to attribute it,” the responsibility to prove attribution falls to the insurer. That seems to be a dangerous case of checking one’s own homework.
Another attribution challenge is that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with “those acting on its behalf” working as a catch-all for these kinds of relationships.
What Does This Mean for Cyber Insurance?
These are all fascinating machinations of the insurance and legal industries, but what does this mean for organizations who just want to protect themselves against the potential losses of a cyber-incident? I’d wager that most organizations who suffer an attack probably don’t care a great deal whether the cause was a criminal trying to profit or collateral damage from a spy agency retaliating against another nation.
The ultimate lesson here is that you need to be prepared to recover from ransomware attacks yourself. You can’t rely on getting your data back if you pay the attacker. You can’t rely on losses being covered by insurance policies. You must take control of the situation yourself to guarantee your organization can survive any attack. In any attack, you have two options – to pay the ransom or recover your data. Make sure you can recover your data.