In Ukraine, a cyberattack can mean a freezing night without power. But in the United States, it often seems like just one more unavoidable hassle of modern life. People change a few passwords, maybe sign up for credit monitoring, and then go on with life. But for the organizations on the receiving end—Target, Equifax, the federal government’s Office of Personnel Management, just to name a few—a cyberattack can mean scrambling to get systems back on line, setting up response war rooms, and, of course, paying huge bills for missed orders or new equipment.
And US businesses may no longer be able to rely on insurance to cover their losses. In an era of unceasing cyberattacks, including cases of state-sponsored hacking, insurance companies are beginning to re-interpret an old line in their contracts known as the “war exclusion.” Stripping away the metaphorical connotation of the term “cyberwarfare,” big insurers like Zurich Insurance have decided that state-sponsored attacks are basically just plain warfare. This shift comes as the US government is increasingly attributing state-sponsored cyberattacks to their alleged perpetrators, a development that some argue is a means of holding bad actors accountable.
But the policy certainly doesn’t seem to be doing any favors to the private sector.
The New York Times fleshed out the insurance companies’ new legal strategy in a recent article about the woes of Modelez International, the maker of Oreo cookies and other mainstays of the snack food industry. Based in the Chicago suburbs, Mondelez was among the hundreds of companies hit in the so-called “NotPetya” attack of 2017. The Times reported that Mondelez expected its more than $100 million in losses to be covered by its Zurich insurance policy. But Zurich swatted back Mondelez’s claim, citing an exclusion for “hostile or warlike action in time of peace or war … by any government or sovereign power,” according to the complaint Mondelez filed in court last fall, which Crain’s Chicago Business obtained.
In February 2018, the White House attributed the NotPetya attack to the Russian military, calling it the “most destructive and costly cyberattack in history.” By blaming the Russians, the government gave Zurich an opening, but not necessarily an airtight argument: “Zurich’s invocation of a ‘hostile or warlike action’ exclusion to deny coverage for malicious ‘cyber’ incidents was … unprecedented,” Mondelez’s complaint asserted. “The purported application of this type of exclusion to anything other than conventional armed conflict or hostilities was unprecedented.”
“We still don’t have a clear idea of what cyberwar actually looks like,” cyber risk adviser Jake Olcott told the Times. “That is one of the struggles in this case. No one has said this was an all-out cyberwar by Russia.”
Attributing a cyberattack to a suspect country can take weeks or months of painstaking analysis. But cyberattacks are a low-cost way for countries such as Russia, China, North Korea, and Iran to achieve their goals, the director of national intelligence argued in a 2018 document. And they will continue to engage in cyberattacks “unless they face clear repercussions for such actions.” (The United States, of course, has been known to wage cyberwar, as well.) In the case of NotPetya, the target of the allegedly Russian cyberattack was a Ukrainian software company. The malware then spread to networks around the world, including to Mondelez’s.
The question for Zurich is whether the chain of events that led to NotPetya striking down Mondelez’s network qualifies as warfare. A court ruling in its favor could make cyberwar much more real, and costly.