A risky business: what happens when transferring risk goes wrong?
The title of this article might seem a little confusing so let's start by breaking things down. Once a risk analysis has been conducted and the risks facing a company have been identified, for example the fundamental vulnerability of systems to malware, each risk must be addressed. Generally there are four strategies for dealing with risks, especially if the company is following ISO 27001: Avoid, control, accept or transfer –after taking a quick glance at the first three options, we'll be moving on to discuss transferring risk in more detail. Going back to our malware example, you could avoid this risk by cutting off your server from the outside world. If you chose to control or reduce the risk, you could install current anti-malware software. You could also decide that the situation is tenable and accept the risk. But what happens if you decide to take the fourth option of transferring risk to another party – usually an insurance company. For a number of years, insurance providers have been selling cyber crime insurance to businesses and businesses have benefited from transferring risk to their insurers in exchange for a tidy sum.
It all sounds fairly reasonable yet neither policyholders nor insurers have considered the increasingly complex malware landscape. At the moment, ransomware attacks are particularly expensive. Whether the ransom is paid at the end or not, the encryption of large amounts of mission-critical data paralyzes virtually every victim's business for hours to days. One of the best-known cases is the global logistics company Maersk, where the cost of recovery and lack of productivity amounted to about 300 million US dollars. Even the food multinational Mondelez was forced to acknowledge that the infamous NotPetya ransomware had infiltrated its servers at the end of 2017. The business operations of the Oreo and Cadbury manufacturer were paralyzed, allegedly affecting 1,700 servers and 24,000 computers. This goes far beyond an annoying inconvenience and shows once more that endpoint protection is not enough. Such incidents cannot be contained without sensible internal detection systems at network level and an ironclad segmentation of networks. But that's not what we're here to talk about.
Mondelez had wisely anticipated the residual risk in their risk analysis, despite all the protective measures they had implemented, and still considered this risk to be too high. The Group took out an insurance policy with Zurich American to mitigate these risks. And, of course, Mondelez expected Zurich American to pay the costs of about 100 million US dollars after the loss. However, the insurance company refused to accept the claim (PDF). How could that happen? We've already discussed that the malware landscape is increasingly complex. NotPetya used a modified version of the EternalBlue exploit that was leaked from the NSA's collection of found but unpublished exploits. In the weeks that followed, England, the USA and the Ukrainian government accused a group of state-sponsored hackers as having carried out the NotPetya attacks. Zurich American used this position to reject the claim, referring to the exclusion in the policy of "hostile or warlike action in time of peace or war" carried out by "governments or a sovereign power". And then the 100 million dollar claim dissolved into nothing – as quick as that.
Mondelez naturally took a different view and filed a lawsuit against Zurich American. This creates a very interesting precedent, as the same or a similar clause can be found in virtually every cyber insurance policy. And this is exacerbated by the lack of proof that the attack was carried out by a state agent, not just for NotPetya but other subsequent incidents. The legal dispute is still in full swing and needs to resolve some fascinating and complex issues, including whether an international armed conflict (IAC) had occurred, whether the term "armed" can apply and whether it can be defined as a conflict under international law . All three conditions are very clearly defined - except for cyber conflicts. The outcome of the process will have an enormous impact on the insurance industry, not just Zurich American. Whatever the outcome, the insurer stands to lose: If Mondelez win the lawsuit, it will cost Zurich American $100 million. If, on the other hand, the judge decides in favor of the insurer, the latter will keep the 100 million, but will find it difficult to sell cyber insurance in future. By now companies exploring insurance as an option for transferring risk should be aware of the need to review their contracts very carefully for the "hostile or warlike action" clause.