By Russ Banham
Risk Management
One of the most devastating cyberattacks in history, NotPetya was unleashed upon thousands of companies in early summer 2017. Its unique infection path and speed of transmission startled even seasoned IT administrators. The malware variant’s first target was a small tax software firm in Ukraine, a country considered a “scorched-earth testing ground for Russian cyberwar tactics,” according to Wired. Like a wildfire on a dry and windy summer day, NotPetya quickly spread to shut down 10% of Ukraine’s computers and a broad swath of its infrastructure, before infecting more than 2,000 companies in 65 countries and causing an estimated $10 billion in total damages.
Danish shipping conglomerate Maersk was among the companies hardest hit. Thousands of servers and applications involved in its day-to-day operations shut down at 600 locations in 130 countries, causing one of the most severe business disruptions from a cyberattack. Reports indicate the disaster ultimately cost the company up to $300 million in lost revenue. Fortunately, most of the loss was covered by insurance.
But another company swept up in the attack was less fortunate. Consumer packaged-goods company Mondelez had purchased a property insurance policy protecting it for business interruption losses, but insurer Zurich American Insurance Company tossed out the claim, pointing to the policy’s war exclusion. Mondelez subsequently sued Zurich American for $100 million.
Many other insureds face the same quandary after purchasing property and liability policies with “silent” or “non-affirmative” cyber coverage. Such policies are not cyber-specific and neither affirm nor exclude coverage for losses from a cyberattack. Some claims have been paid, but others reportedly have been denied.
“It depends on the language of the policy in relation to the particular cyber event and insured peril,” said Daniel B. Garrie, partner and head of the cybersecurity practice at law firm Zeichner Ellman & Krause and arbitrator and mediator for cyber coverage disputes for JAMS. “No two policies have the same contract boilerplate when it comes to a compensable cyber loss.”
Risk managers and their brokers, particularly in the United States, now must confront this state of ambiguity—property and liability policies that may or may not cover cyber losses, and actual cyber insurance policies rendered useless if the war exclusion is triggered. And the unprecedented dispute between Mondelez and Zurich American over applicability of the war exclusion makes the state of cyber insurance coverage even more uncertain.
The burden of proof rests squarely on the shoulders of the insurer. Zurich American has to prove that NotPetya was an act of war perpetrated by Russia, which U.S. intelligence agencies blame for the attack. Until the parties reach a decision, “risk managers should be 100% worried,” Garrie said, especially in light of President Donald Trump’s issuance of Executive Order 13873. “The executive order prohibits high-risk IT transactions with private entities that are under the jurisdiction of a so-called ‘foreign adversary,’” he explained. “The order may have the effect of conflating a private entity with a foreign adversary.”
In other words, authorities may consider individual hackers in Russia, China, North Korea and Iran to be executing attacks on behalf of those countries, whether or not they were actually directed by government authorities. “This could widen the ability for insurers to trigger the war exclusion in their cyber policies,” Garrie said.
If this happens, the next time a major malware crisis erupts, Mondelez may no longer be the outlier. Many companies that assumed their insurance policies covered a cyberattack may learn otherwise as the war exclusion is used to deny their claims. Given the stark financial impact of a prolonged business interruption, that could be a terrifying prospect.
According to the most recent Allianz Risk Barometer, business interruption and cyberattacks are the two biggest perils confronting businesses today. “The report indicates that the two perils are interrelated, in the sense that the primary cause of a business interruption these days is a cyberattack,” said Robert Parisi, managing director and cyber product leader at Marsh. “If companies can’t get insurance to cover the two biggest risks out there, that’s an obvious problem.”
Silent Treatment
Ambiguity surrounding whether non-affirmative property and liability policies to absorb cyber losses has existed for decades. In fact, the development of a standalone cyber insurance market was a response to this uncertainty. Nevertheless, underwriters in both markets are challenged by the ever-changing nature of cyberrisks as hackers continuously up the ante and invent new ways to attack.
“The cyberattacks that have already occurred involving data breaches and ransomware are not a problem going forward—for the most part,” said Dan Burke, national cyber practice leader at Woodruff Sawyer. “Those are played out by this point and non-affirmative policies generally can be counted on to provide coverage.”
Rather, tomorrow’s new cyber scourge is the problem. “Unless you’re buying a dedicated cyber insurance policy covering new and emerging cyberrisks, don’t expect your traditional property and liability policies to pay them,” he cautioned. “Underwriters never contemplated that they would absorb the costs of a significant malware attack like NotPetya. That’s when you run into a gray area.”
Part of the problem is that technology innovations often outpace organizations’ ability to manage the resulting risks. “As new technologies emerge, businesses tend to embrace the technology without thinking about the risks,” said John Farley, a managing director in Gallagher’s cyber liability practice. “Hackers, on the other hand, are always thinking about the risks, the ways to compromise the new technology. As technology products and related cyberrisks evolve, insurance coverages must evolve to keep pace. It’s up to brokers to continually push the insurance markets to address new and emerging risks.”
Some brokers fail in this regard, however. “I was retained by a manufacturing client that wanted me to review its property policy for cyberrisk protections—it had so many loopholes, it didn’t cover anything,” Garrie said. “I’ve also been the mediator called in to settle many cyber coverage disputes. The [insurance] towers in some cases were structured for coverage to kick in at weird levels, meaning the opportunity to collect full damages was limited.”
Given the sheer ingenuity of bad actors to launch increasingly monstrous cyberattacks and the potential for cyber policies to be ineffective, the onus is on brokers and risk managers to build cyberrisk models that incorporate every conceivable loss scenario before reaching out to the insurance and reinsurance markets. But this practice is not routine.
“Having been on the underwriting side myself, I’m positive that if you asked a property underwriter where cyberrisks ranked on the list of their concerns in the last three to five years, they would say toward the bottom,” Burke said. “If you asked them how much risk they had attributed to cyber losses in their pricing, it would be minimal.”
He believes this is because they are focused more on fires, explosions and storms, not malware. “When a new and massive cyberattack occurs and a claim is filed, chances are that property insurers will [deny the claim and] go to court to do battle, arguing they did not underwrite for this risk, much less price it accordingly,” Burke said.
The constantly shifting nature of cyberthreats is also a common broker concern. “As I tell my risk manager clients of all shapes and sizes across the world, with any network architecture, you can build a 10-foot wall to keep the bad actors out, but they’ll bring an 11-foot ladder,” said Jason Warmbir, vice president in the cyber risk transfer unit at Willis Towers Watson. “Unlike cyber underwriters in the trenches, property underwriters don’t understand the intricacies of the different exposures created by new forms of malware. These unique exposures are not intended to be covered by policies outside the cyber market.”
Of course, this sentiment comes a bit late for all the companies depending on their property policies to provide coverage. Cyberattacks could cost companies worldwide as much as $5.2 trillion in damages and lost revenue over the next five years, according to a study by Accenture. Boards of directors of companies caught in the crossfire must take notice. In light of recent event-driven derivative class action lawsuits filed against boards that fail to take action on potential risks they had thought were well-managed, silent cyber could pose potential disaster.
Small wonder Lloyd’s of London is now insisting that syndicates and reinsurers provide coverage clarity in their non-affirmative insurance policies and treaties. The insurance institution’s mandate was compelled by the UK’s Prudential Regulatory Authority, which had called on Lloyd’s and the wider London insurance market to ensure future policies either affirmed or excluded protections for cyberattacks. Lloyd’s will review property polices for compliance beginning on January 1, 2020, and liability policies and reinsurance treaties one year later. “The bottom line in the UK is that insurers and reinsurers can no longer be silent on cyber,” Parisi said.
The question is whether or not U.S. property and liability insurers will unequivocally provide or exclude coverages for cyberattacks. “I’m sure this is being debated in the boardrooms of property insurers right now,” said Phil Edmundson, founder and CEO of managing general agency Corvus Insurance. “On the one hand, property insurers may be able to buy explicit reinsurance for business interruption and contingent business interruption losses, giving them enough capacity to assume cyberrisks. However, if they embed broad exclusions in otherwise affirmative policies, it would leave the standalone cyber insurance market as the only viable insuring alternative.”
That market has grown immeasurably over the past decade. There is as much as $500 million in cyber insurance capacity in the market today, typically structured in a tower of ascending financial limits for different loss layers. “The cyber insurance community has stepped up and is offering what I would describe as fairly broad business interruption and contingent business interruption insurance for cyber events,” Parisi said.
For its part, AIG announced in September that virtually all of its commercial property and casualty insurance policies will begin affirmatively covering or excluding physical and non-physical cyber exposures as of January 2020. “As we shift to affirmative cyber coverages and exclusions, our clients can more closely consider the cyber peril they face and evaluate how that exposure impacts coverages and policies across their enterprise,” said Tracie Grella, AIG’s global head of cyber insurance.
Opposing Factions
The Mondelez lawsuit still complicates the cyber coverage picture, however. Edmundson is optimistic it will not make a difference since “most attacks are executed by private thieves and not foreign nation-states.” On the other hand, Garrie believes Executive Order 13873 may make this difference moot.
“If a cyberattack can be traced to a private entity in a jurisdiction classified by the Department of Commerce as a foreign adversary, the president’s executive order can be persuasive in the rationale of an insurer triggering the war exclusion,” he said. “Since we have no legal precedent on the subject, the courts will be compelled to consider the president’s wishes and intent, possibly giving insurers the opportunity to deny claims based on the war exclusion.”
Other experts disagree. “Our view is that cyber war is a very specific thing that involves sovereign nations, military actions and physical force,” Parisi said. “The cyber insurance market has a long history—dating back to the first policy—of covering events alleged or imputed to have been caused by a nation-state.”
Evidence of claims paid may be instructive when an Illinois court hears Mondelez International, Inc. v. Zurich American Insurance Company sometime in the next year.
Of course, the surest way for a risk manager to get absolute certainty that an insurance policy will honor its promises is to insist the insurer expunge the war exclusion. However, that is not likely to happen. “We’ve been unsuccessful in eliminating the exclusion in its entirety,” Burke said.
Instead, brokers have had greater success putting together “carve-backs” for losses due to cyber terrorism. “By inserting the carve-back, we’re able to effectively get coverage for cyber events, even those that appear to have been caused by nation-states,” Burke explained. “For example, after the NotPetya attack—despite allegations it was executed by Russia—the cyber insurance market reacted favorably. Claims were paid.”
Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.