4 September 2022

Who Pays for an Act of Cyberwar?


THIS SUMMER MARKS the fifth anniversary of the most expensive cyberattack ever: the NotPetya malware, released by Russia in June 2017, that shut down computer systems at companies and government agencies around the world, causing upward of $10 billion in damage due to lost business, repairs, and other operational disruptions. Half a decade later, the businesses affected by NotPetya are still sorting out who will pay those considerable costs in a series of legal disputes that will have serious ramifications for the rapidly growing cyberinsurance industry, as well as for the even more rapidly growing number of state-sponsored cyberattacks that blur the line between cyberwar and standard-issue government cyberactivity.

Whether or not insurers cover the costs of a cyberattack can depend, in part, on being able to make clear-cut distinctions in this blurry space: When Russian government hackers targeted Ukraine’s electric grid earlier this year, was that an act of war because the two countries were already at war? What about when Russia hacked Ukraine’s electric grid in 2015, or when pro-Russian hackers targeted servers in countries like the United States, Germany, Lithuania, and Norway because of their support for Ukraine? Figuring out which of these types of intrusions are “warlike” is not an academic matter for victims and their insurers—it is sometimes at the heart of who ends up paying for them. And the more that countries like Russia exercise their offensive cyber capabilities, the harder and more critical it becomes to make those distinctions and sort out who is on the line to cover the costs.

When insurers first began offering policies that covered costs related to computer security breaches more than 20 years ago, the promise was that the industry would do for cybersecurity what it had done for other types of risks like car accidents, fires, or robbery. In other words, cyberinsurance was supposed to insulate policyholders from some of the most burdensome short-term costs associated with these events while simultaneously requiring those same policyholders to adopt best practices (seat belts, smoke detectors, security cameras) for reducing the likelihood of these risks in the first place. But the industry has fallen well short of that goal, in many cases failing both to help breached companies cover the costs of major cyberattacks like NotPetya, and to help companies reduce their exposure to cyber risk.

Certainly, cyberinsurance has helped organizations cover the costs of many data breaches and cybersecurity incidents, including, in several cases, large ransoms paid directly to criminals. But when it came to NotPetya—a piece of malware so devastating that the White House later referred to it as “the most destructive and costly cyberattack in history”—victims including the multinational food corporation Mondelez and the pharmaceutical company Merck struggled to recoup their losses from their insurance carriers. Merck filed a lawsuit against several insurers and reinsurers in August 2018, claiming $1.4 billion in NotPetya-related losses, and a New Jersey court ruled in the pharmaceutical company’s favor in December 2021. Mondelez filed a similar complaint against its insurer Zurich in October 2018 for $100 million in a case that is still ongoing. Their insurers argued that because several governments had attributed NotPetya to the Russian government, the cyberattack was a “hostile or warlike action” by a government, and therefore excluded from the companies’ property and casualty coverage under standard war exclusions.

Those exclusions date long before cyberattacks and have largely not been updated, even as property and casualty policies have expanded to include coverage for damage to data and software caused by malware. NotPetya was the first time that insurers tried to invoke these exceptions to avoid paying for a cyberattack. It was an important test case for the insurers—and their policyholders—because the attack was both expensive and had been so clearly and definitively attributed to a national government by so many countries. That meant there was a lot of money at stake for the insurers and also a plausible argument for them to make that NotPetya was no ordinary run-of-the-mill piece of malware, but instead something akin to, well, war.

The attribution of NotPetya to the Russian government mattered because in past insurance disputes about war exclusions, the question of whether a sovereign power was behind an attack took on great importance. For instance, insurers tried—and failed—to claim that the 1970 hijacking of Pan Am flight 093 by the Popular Front for the Liberation of Palestine (PFLP) was an act of war for insurance purposes. But a court rejected that argument in 1973, in part because the PFLP “was not a de facto government,” and ordered the insurers to pay the full value of the destroyed aircraft: $24,288,759. More recently, in 2014, when Universal had to move filming for its television series Dig out of Jerusalem due to Hamas rocket attacks in the region, the studio’s insurer insisted that the costs of interrupting and relocating the shoot couldn’t be claimed under Universal’s insurance because the attacks fell under the policy’s war exclusion. The insurer lost that case, too, with the Ninth Circuit ruling in 2019 that the war exclusion only applied to “hostilities between de jure or de facto governments.”

So the insurers on the hook for covering NotPetya had some reason to believe that the attribution of NotPetya to a government source might make it easier for them to argue that the cyberattack was an act of war. But there were other, equally important precedents that suggested such attribution would not be sufficient to avoid paying out their policyholders’ claims. For instance, when Japan attacked Pearl Harbor in 1941, there was no doubt that a government was responsible, but insurers were not always successful in denying life insurance claims for those who died because the United States had not yet formally declared war on Japan at the time of the attack. (Following those disputes, many insurers updated the language of their war exclusions to apply to hostile or warlike actions “in times of peace or war.”) And in the Pan Am case, the court had pointed out that the hijacking occurred in western European airspace, “thousands of miles” from the conflict in the Middle East that the insurers claimed was the “efficient cause of the hijacking operation.”

The NotPetya compromises of Mondelez’s and Merck’s computer systems also occurred far away from the conflict between Russia and Ukraine, which had ostensibly spurred the malware’s release. Even more importantly—at least in the eyes of the court that ruled in Merck’s favor that the war exclusion did not apply to NotPetya—the cyberattack involved no “use of armed forces” or “traditional forms of warfare.” In other words, there was no violence, no bloodshed, none of the traditional trappings of war.

The current war between Russia and Ukraine does involve armed forces, of course, and should significant cyberattacks occur in the context of this conflict, it’s possible that insurers will once again try their luck at excluding those costs from their coverage. But given how easily malware can spread worldwide and how common state-sponsored cyberattacks are, for the purposes of clarity and fairness to policyholders, these cyberattacks should only count as acts of war if they actually occur in the context of an ongoing war and are directed at one of the parties to that conflict. A Russian cyberattack that shut down Ukraine’s electric grid right now would be an act of war because Russia and Ukraine are at war, but a Russian cyberattack that hit US banks would not be. Or, as in the case of NotPetya, if a piece of malware directed initially at Ukrainian infrastructure spread to other targets, the impacts on those other targets should not be excluded from insurance coverage just because the malware served the purpose of a warlike act in one specific instance.

Without these parameters around when cyberattacks are considered warlike acts, there will be huge holes in cyberinsurance coverage that may dissuade companies from buying it. And the collapse of the cyberinsurance market would be disastrous for companies that can’t afford to recover from cyberattacks. It would mean that victims would always have to pay for those attacks themselves, even if they had taken reasonable precautions and invested in security protections. Given how many sophisticated adversaries there are in cyberspace and how imperfect the art of cyberdefense is, some organizations that take cybersecurity seriously will still get breached. When they do, they should be able to recover from those incidents in the same way they would recover from a fire, flood, or robbery—by using their insurance coverage.

Another risk is that the recent ruling in the Merck case will push insurers to change the language of their war exclusions to exclude more and more state-sponsored cyberattacks. In fact, the judge in that case specifically called out the insurers for doing “nothing to change the language of the exemption to change the language” of the war exclusion to signal to Merck that “it intended to exclude cyber attacks.” If the insurers now take that ruling as a signal they need to broaden their war exclusions to apply more explicitly to state-sponsored cyberattacks, they may again run the risk of scaring off customers or leaving policyholders unable to cover the costs of many state-sponsored attacks that fall well short of war.

If we ultimately want to use insurance to handle cyber risks the way we deal with many other expensive types of risk, then that insurance is going to have to cover a lot of state-sponsored cyber activity. And that coverage can’t just be in smaller, standalone cyberinsurance policies—it has to extend to the big property and casualty policies that explicitly cover malware damage and that policyholders understandably turn to when faced with massive cybersecurity-related losses. For cyberinsurance to work at all moving forward, insurers will have to agree to carve out exceptions for only rare, unpredictable attacks that are closely connected to traditional warfare. Otherwise, they will very quickly wind up having excluded much of what their customers most want—and need—in this domain.

No comments: