By Asaf Lubin, Yale University; Berkman Klein Center for Internet & Society; Yale University - Information Society Project.
This detailed research is a work-in-progress and it hasn’t been published yet. The author welcomes any comments or thoughts on the piece that can be mailed directly at email@example.com .
In June 2017, the food and beverage conglomerate Mondelez International became a victim of the NotPetya ransomware attack. Around 1,700 of its servers and 24,000 of the company’s laptops were suddenly and permanently unusable. Commercial supply and distribution disruptions, theft of credentials from many users, and unfulfilled customer orders soon followed, leading to losses that totaled more than $100 million. Unfortunately, Zurich, which had sold the company a property insurance policy that included a variety of coverages, informed Mondelez in 2018 that cyber coverage would be denied under the policy based on the “war exclusion clause.” This case, now pending, will be a watershed moment for the cyber insurance industry, highlighting the great ambiguity around the insurability of certain types of cyber risk and the scope of coverage that insurers will provide in the case of a cyber incident.
The literature on the insurability of cyber risk has focused all of its attention on questions of economic efficiency and viability. Scholarship has, for example, examined the actuarial challenges in cyber risk modeling and the likelihood for adverse selection resulting from information asymmetries and lack of historical claims data. Scholars have so far avoided a different set of considerations rooted not in economics but rather in public policy analysis of societal values. This paper lays the framework for such an analysis. Relying on traditional insurance and torts jurisprudence the paper makes the public policy case for limited legal interventions in the indemnification of four controversial categories of cyber harm:
(1) acts of cyber terrorism or state-sponsored cyber operations;
(2) extortion payments for ransomware attacks;
(3) administrative fines for violations of statutory data protection regulations; and
(4) disruption to supply, service, or distribution chains.
In so doing, the paper highlights systemic challenges to cyber insurance underwriting while explaining insurers role in increasing societal cyber posture by reducing the likelihood of moral hazard and suboptimal cyber-norms enforcement.
Keywords: Insurance, Cybersecurity, Risk, Ransomware, Data Breach, Cyber Terrorism, Cyber Warfare, Data Protection, GDPR.
Referred to as “the most devastating cyberattack since the invention of the Internet,”(1) the NotPetya malware(2) wreaked havoc around the world during the month of June 2017.(3) As a propagation method, hackers relied on a “watering hole” technique, an attack which compromises a particular website or software known to be used by the unsuspecting targets. (4) The hackers infected the servers of a financial software program called MEDoc, which businesses operating in the Ukraine commonly use to file taxes. (5) The compromised MEDoc servers then delivered the NotPetya malware to corporations within Ukraine and around the world. NotPetya spread “automatically, rapidly, and indiscriminately,” gaining administrator access to infected machines and leveraging that power to commandeer other computers on the network.(6) Once inside the network the malware irreversibly encrypted the master boot records of all infected devices, demanding the payment of $300 worth of bitcoin to decrypt them. (7) While masquerading as a “ransomware” attack,(8) this attack was in fact not financially motivated.(9) Western intelligence agencies have concluded that NotPetya was launched by Russia’s GRU military spy agency as part of its cyber campaign against the Ukraine.(10) Irrespective of the perpetrator, the White House estimates that NotPetya cost more than $10 billion in total damages.(11) A large number of multinational corporations experienced paralyzing businesses interruptions including pharmaceutical company Merck (whose damages are estimated at $870 million), Delivery Company FedEx (damages to its European Subsidiary TNT Express estimated at $400 million), and Danish Shipping company Maersk (whose damages are estimated at $300 million).(12) Those companies’ financial losses were collateral damage; their injuries were a spillover from the alleged Russian state-sponsored attacks on its neighbor to the west. The food and beverage conglomerate Mondelez International was yet another victim of the NotPetya attack. Around 1,700 of its servers and 24,000 of its computers became permanently unusable at the end of June 2017. (13) Thousands of boxes of Oreos and Ritz Crackers were left waiting in packaging centers, as the attack disrupted commercial supply and distribution chains and made it impossible for Mondelez to fulfill customer orders. Ultimately, the attack led to losses that totaled more than $100 million for the company. (14) Mondelez had an all-risk property insurance policy with Zurich American Insurance. The policy covered “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction… [and] Actual loss sustained and extra expenses incurred by the insured during the period of the interruption resulting from the failure of the Insured’s electronic data processing equipment or media to operate.”(15) Mondelez thus filed a claim seeking compensation for at least a portion of its NotPetya losses. In June 2018 Zurich informed Mondelez that cyber coverage would be denied under the policy based on an exclusion listed therein which limited indemnification in cases of damages resulting directly or indirectly from “a hostile or warlike action … by any government or sovereign power.”(16) The Mondelez v. Zurich case, now pending before an Illinois court, will be a watershed moment for the cyber insurance industry. (17) While the case does not stem from a standalone cyber insurance product, it nonetheless highlights the great ambiguity around the scope of coverage that insurers will provide in the case of a cyber incident and the evidentiary requirements for tortious attribution in cyberspace. (18) The case, which has now received national attention,(19) thus offers an opportune moment for self-reflection for the insured, insurers and regulators around the limits of insurability of both existing and future cyber exposure.
Increased economic risk from cyberattacks and data breaches has led to the rise of cyber insurance as a means for risk prevention and management.(20) The number of U.S. firms reporting they have no cyber liability insurance fell from 50% in 2017 to only 24% in 2018.(21) PWC has estimated that annual gross written premiums of cyber insurance will reach $7.5 billion by 2020. (22) These policies cover varied costs associated with the perils of operating a business in the digital age. Stand-alone cyber insurance policies now offer coverage for an array of both first party cyber harms (such as a business interruption and network shutdown triggered by an attack on third-party suppliers or cloud-service providers) and third party cyber harms (such as costs for notification and credit monitoring services and legal fees associated with data breaches of users’ information). (23)
Despite the imminent ubiquity of cyber insurance in the United States, scholarship on the insurability of cyber risk is still in its infancy. Most of what has been written has focused solely on the economic viability of these cyber insurance products. Following the criteria laid down by the likes of Robert Mehr and Emerson Cammack in Principles of Insurance this body of works has been centered on addressing the following questions: (1) does cyber risk involve a large group of homogeneous exposure units? (2) does cyber risk produce losses that are definite as to time, place, amount, and causes? (3) does cyber risk produce losses that are accidental or fortuitous? (4) is the potential loss from cyber risk large enough to cause hardship? (5) is the cost of cyber insurance economically feasible? (6) is the chance of cyber loss calculatable? (7) can cyber perils produce loss to a great many insured units at one time?(24)
Examples of scholarship that has adopted these economic questions as guideposts for insurability determinations abound. These include, among others, papers that have examined the aggregation risks associated with cyber insurance, (25) the contemporary gaps in coverage of cyber harms, (26) the actuarial challenges in cyber risk modeling, (27) the difficulties in wording and pricing cyber insurance policies,(28) the private governance benefits and pitfalls of enforcing cyber security standards through commercial insurance,(29) and the information asymmetries and lack of historical claims data that are preventing the cyber insurance market from maturing. (30)
While all of these papers offer foundational theoretical insight and empirical data as to the economic benefits of insurance as a tool in cyber risk prevention and mitigation, they fail to provide a normative path forward. These papers tend to ignore an equally important set of concerns rooted not in economics but rather in philosophy and political science.(31) If to reference Baruch Berliner’s insurability criteria, these are “societal” considerations, distinguished from mere actuarial and market requirements.(32).