Would My Cyber Insurance Policy Cover NotPetya?

Dale: You are right to have so many questions because from my own experience, the insurance industry’s response since Stuxnet has at best been inconsistent. However, in some ways the trajectory of this industry’s “learning curve” is not dissimilar to that of the security community. The cyber insurance industry did not adapt to the changing risk environment that Stuxnet may have indicated, however, it must be remembered that it was only in 2011 that the Gartner Group provided their definition of Operational Technology. The seeming bifurcation in your industry around “cyber security vs engineering” was just as stark for the insurance industry because the different siloes of insurance were represented by different pools of capital. The insurance-purchasing personnel in large energy companies, for example, were “Risk Managers”; we cyber underwriters had little access to CISOs and certainly not engineers. The few companies that did engage us with CISOs were exceptionally sophisticated and similarly, had a more sophisticated insurance product as a result. For those clients, this Merck imbroglio would never have happened. For us in insurance, as in your industry, it is people like you, Robert Lee, Ralph Langner, my colleague Eireann Leverett and most especially Jason Christopher who have helped shape our education. We have needed to and continue to rely on your help; we have looked for leadership in your industry because any reliance on “security vendors” has been largely futile. Yes, the cyber insurance industry is still nascent in many regards but there equally is no uniformity in approach by legislators, judiciary, capital markets or prudential regulators. It would not be whimsical to suggest that Ace American Insurance Company sought to extract some guidance from the courts to eliminate the inconsistency and ambiguity; that exists between the different siloes of insurance and within the industry more generally. It should also be noted that Ace was one of the earliest pioneers in cyber insurance so I would not be surprised if Ace (now Chubb) is instead, challenging orthodoxy and showing leadership. Therefore, the question you pose is “should my cyber insurance or property insurance cover losses to NotPetya”? War and Hostile Acts exclusions for Property insurance are necessarily different from Cyber insurance. Attribution is not a concern for cyber insurers and therefore, the four new exclusions provided by the LMA should not be regarded as an industry proxy. Disparate industry groups and lobbyists have disparate approaches to the aggregation of cyber exposure and the LMA is only providing guidance. Which leads us to your questions. Firstly: ·???????Would this policy cover a loss due to NotPetya or similar attack attributed to a nation state actor where our company was collateral damage (not a direct target of the attack)? The basic premise of insurance is to provide financial protection to clients against fortuitous acts and where the insurer is not adversely selected against in providing such coverage. Such coverage is provided in return for premium. “Collateral damage” however infers widespread aggregation of losses. What protections exist for insurers in the event of a targeted attack by a nation state against critical national infrastructure or an entire industry sector? And to what extent should insurers provide a capital backstop for unfettered “business interruption” for a failure of OT/ICS as opposed to a targeted attack? These are the issues that have vexed insurers, government and prudential regulators for almost a decade. The US Government for a decade now has been asking the insurance industry for a capital pooling response similar to Terrorism (such as TRIA) given its own uncertainty around exposure modelling for OT/ICS Cyber risk. Coverage for targeted attacks can be modelled and underwritten effectively, but broad-based coverage for systemic risk/collateral damage suggests a capital backstop underpinning indeterminate operational risk. What needs to happen first though is that property (and other non-cyber insurance) totally and clearly excludes cyber risk and coverage for targeted attacks would be sought and paid for under cyber-specific policies. But more risk capital must understand that exposure and have it properly funded for the exposure gap to be tightened. Non-traditional capital markets looking for diversification outside of property catastrophe are helping to ameliorate exactly this issue. ·???????Would this policy cover a loss to due to the SolarWinds vulnerability before it was known and a patch available? Some insurers lack the understanding of the SolarWinds vulnerability, but a Cyber policy would reasonably be expected to cover that exposure scenario. Your question however seems directed at whether a Property insurance policy (or similarly non-Cyber specific insurance) would cover such a loss for which a reasonable response would be no. It seems the court case is meant to show that clarity.? ·???????Your remaining question was whether you would be covered if your security program wasn’t perfect. Just because an insurer doesn’t always ask the right questions should never preclude coverage. Equally, insurers need to start asking the right questions and that can’t be held against clients! And if there was one sub-system that was not “patched” after all, despite having suggested as much in the risk assessment? That’s why insurance exists, provided the omission was not malicious or intended. Not all insurers will have exclusions for SolarWinds, Log4Shell et al but those that do, won’t necessarily be as sophisticated as those that don’t. I guess you may have more questions, but I wanted to provide at least some guidance! If you have more questions, please fire away and I will respond.

When I think of insurance in terms of risk, it will be difficult to include NotPetya in an insurance policy. For the asset owner, insurance is the sharing of risk between the asset owner and the insurance company. For the insurer, it is the distribution of risk among as many asset owners as possible. The sum of the premiums must be greater than the costs of an isolated claim. This is the problem with NotPetya, NotPetya is like a potential pandemic that affects more asset owners at the same time than the premium can cover. This is the key problem for security insurance it can not include coverage for any form of a cyber pandemic. However in today’s cyber landscape this pandemic behavior is an important threat. If this is excluded and attacks from nation states or state sponsored/aligned groups are not covered, what is left? So in my opinion security assurance is a useless investment if cyber pandemic loss is not covered. Cyber loss events are no longer isolated events.

>>> I’m still bullish that in 3 - 5 years cyber insurance will play a role in cyber risk management (this is the S4x22 Great Debate Topic). <<< Following preface by Bruce Schneier to his second edition of Secrets & Lies written in 2003 (yes, almost two decades ago!) would be a good primer for the debate. Excerpt: "Insurance companies are not stupid; they’re going to move into cyber-insurance in a big way. And when they do, they’re going to drive the computer security industry…just as they drive the security industry in the brick-and-mortar world. A CEO doesn’t buy security for his company’s warehouse—strong locks, window bars, or an alarm system—because it makes him feel safe. He buys that security because the insurance rates go down. The same thing will hold true for computer security. Once enough policies are being written, insurance companies will start charging different premiums for different levels of security..." https://www.schneier.com/books/secrets-and-lies-intro2

The question is which type of company opts for insurance? In the 20 years I worked in OT security I never encountered a company who did. Not just with regard to cyber insurance, but insurance in general. Really wonder if there is a cyber insurance market in the industry. Most bigger companies finance their own loss.