Peter Groucutt, Co-Founder at Databarracks on the challenge of cyber attack attribution and the continuously narrowing parameters for a cyber insurance pay-out.
Merck & Co. has won its legal dispute with its insurer over a refusal to pay out on a claim for losses due to the NotPetya ransomware.
The NotPetya attack was attributed to Russia. It was aimed at Ukraine, but it had a massive impact on companies around the world.
Insurers have refused to pay out on the basis of the “war exclusion” clause in its policies. That resulted in companies suing their insurers for refusing to pay out. In addition to Merck, Mondelez has also taken action against its insurer.
The court in New Jersey ruled that the war exclusion clause did not apply because it applied to armed conflict rather than cyber warfare.
Lloyd’s cyber exclusion clauses
The timing of this ruling is particularly interesting because it comes just after Lloyd’s issued its new cyber war and cyber operation clauses.
The new clauses from Lloyd’s favour the insurers with broader definitions of cyber activities that can be excluded from coverage.
Traditional war exclusion clauses don’t address some of the particular challenges raised by cyber warfare.
Extending the reach to include “cyber operations” covers more activities. There is a lot going on between nation states that doesn’t qualify as “war”. Occasionally that spills over and affects organisations who might want to claim on their cyber insurance (as with NotPetya).
Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or “takes an unreasonable length of time to”. That seems to be a dangerous case of checking one’s own homework.
There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with “those acting on its behalf” working as a catch-all for these kinds of relationships.
Ultimately, in future businesses will find that the parameters for a payout are narrowing, shifting the emphasis for protecting data and operations onto the victims.
|