Tarah Wheeler and Josephine Wolff analyze a recent court decision that the NotPetya attacks are not considered an act of war under the wording of Merck’s insurance policy, and that the insurers must pay the $1B+ claim. Wheeler and Wolff argue that the judge “did the right thing for the wrong reasons..”
humdee • February 28, 2022 9:22 AM
Article is behind a paywall for me.
JonKnowsNothing • February 28, 2022 9:22 AM
@JohnnyS
re: Insurance companies will move to explicitly exclude cyber-attacks
The wording selected will be interesting because while we know a cyber attack when we see one-experience it, like many other conditions, it’s harder to define it.
Acts of War are generally excluded from policies, so all the “cyber-shooting” in RU v UKR might fall under that clause and the injured companies excluded from compensation.
That might be the point, but there are many companies that have nothing whatsoever to do with the conflict that will fall under the same umbrella.
===
1)
Australia is making a good profit on their wheat prices from the conflict RU v UKR. Last year, several major crop harvests failed, the shortage made price of wheat go up. In times of war, commodity prices go up as well. Now AU is getting nearly $1AU dollar more per ton.
TimH • February 28, 2022 9:26 AM
It’s not going to be adequate to simply exclude “acts of war”, because attribution is difficult. And un-named officials making claims or origin without showing the evidence (let alone allowing it to be analysed) ain’t cuttin’ it.
Ted • February 28, 2022 9:29 AM
“By finding in favor of Merck, the judge did the right thing for the wrong reasons.”
I am a little confused about the basis of this statement and feel like I need to read the article with greater attention. In the next sentence the authors say, “NotPetya was absolutely an act of war, and Merck was a noncombatant outside the theater of conflict.”
However, doesn’t the ruling say that the warfare exclusion did not explicitly include cyber attacks and therefore the ambiguity favors the insured?
There are some good references to previous case law. It’s just difficult to know exactly how it applies. These times are so unprecedented.
Clive Robinson • February 28, 2022 10:17 AM
@ ALL,
I can only see the first bit of the article…
But,
“For an insurance-claim-related lawsuit surrounding boilerplate text in a contract, this was a major legal decision, one that would decide whether or not insurers would have to pay up for cyberattacks under their enormous property and casualty policies.”
As I understandit from someone who woked intimately with insurance in the law, the problem was not,
“boilerplate text in a contract”
But the fact they failed to change it in a very long time. That is it was held that the language used had the same meaning it did before “cyber-crime” actually started.
Thus I suspect the result will be all insurance terms and conditions will get a little re-work.
The thing is, my advice to insurance underwriters is “Don’t touch cyber” and has been for years now.
The process of assessing risk is based on old “physical universe” limitations, that do not work in an “information universe” such as the,
1, Communication.
2, Storage.
3, Processing
Of information.
A “cyber-weapon” or just “malware” has no physical substance thus,
1, It can be infinately copied.
2, It can be infinitely deployed.
3, It requires no energy from the attacker.
So you can have an “army of one” consisting of every computer connected to the Internet suddenly going wrong without any observed warning.
That is a cyber-attack is not subject to the limitations of energy/matter in the way acturies understand things.
Because,
1, No locality limitation.
2, No distance limitation.
3, No time limitation.
4, No energy/matter limitation.
5, No effective attacker cost.
Even nuclear bombs as destructive as they are have some or all of the above physical universe limitations. Whereas properly designed and deployed malware on the other hand does not have those limitations.
Because, all the attacker does is develope an attack that self replicates and covertly deployes any where it can get connectivity. By after the first release of information running on other peoples computers using their resources not the attackers.
So I wonder if older and wiser hrads in the insurance industry will unlike many youngsters consider potential losses / downsides before they get hot to trot over a new market and new profits. Especially when they apparently can not understand the risks involved…
Maslin • February 28, 2022 10:48 AM
…that court ruling is merely an arbitrary ‘opinion’ by one level of the judicial bureaucracy — it will proceed thru a very long and intense Appeals process with the huge $$$ settlement potential at stake.
“Insurance” is just a civil business contract between two primary parties.
Specific contractual terms are of course criticl, but legal disputes over contract are extremely common in all types of civil contracts.
‘Actuarial Science’ is supposed to be the basis of all commercial insurance.
The insurer must have some objective basis to calculate the detailed terms of the insurance being offered — otherwise it’s just Gambling with vague general odds.
Few events in life are rationally “insurable” — and there is no birthright for others to insure you against risks.
corsair • February 28, 2022 7:45 PM
Every insurance company constantly evolves their policy terms based on the laws and caselaw where they do business. Since this is not a Federal case, it will not be on Pacer, but bloomberglaw.com has listed the case progression and docket entries on their website (login required to read docs):
Once the insurance industry gets a good idea of how to structure their policies to avoid paying cyber-crime claims, expect all the obvious loopholes to close quickly.
Mike D. • March 1, 2022 12:21 AM
Anyone know why the insurance companies created Underwriters Laboratories instead of simply excluding houses with electrical appliances from coverage?
Because I’ve been waiting for a “your IoT shit must be pen tested by our labs or we won’t insure losses due to their compromise” stance from insurance companies for forever.
rortiz • March 1, 2022 1:56 AM
Anyone know why the insurance companies created Underwriters Laboratories instead of simply excluding houses with electrical appliances from coverage?
Well, electricity was largely replacing fire, so I could make an educated guess. UL’s first standard wasn’t even related to electricity; it was for fire doors.
I expect to see insurers setting some security-related standards here, but pen-testing alone won’t cut it. That’s a big difference from inflammability, which can be reliably tested with a blowtorch. Safecracker-style ratings—”survived 3 days of penetration testing”—don’t make sense either. There’s no obvious endpoint to a penetration test.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
JohnnyS • February 28, 2022 9:06 AM
Interesting. I expect that Insurance companies will move to explicitly exclude cyber-attacks in their terms for “property insurance” going forwards, and their customers will want to carefully review the limits on their cyber-insurance policies to make sure that they have sufficient coverage going forwards.
Hopefully the end result will be to motivate corporations to improve their cyber-security, by “breaking out” cyber-attack damage from their property insurance and making the true cost of cyber attack insurance a separate line item, that shows high costs for insufficient coverage unless they pull up their security socks.