The Financial Times is reporting that an insurance company has refused to pay a claim for damage caused by the NotPetya cyber attack being a ‘hostile or warlike action” by a government or sovereign power or people acting for them.
This is a really interesting case as the company, Mondalez, had made a claim under their property insurance. This was for ‘physical loss to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of machine code.’ for the damage caused by the NotPetya cyber attack. The insurance company are refusing to pay the claim using an exclusion in the policy for ‘hostile or warlike actions’
The cyber insurance industry is still very much in its infancy in the area of specific cyber insurance products. This can, therefore, be a confusing time for organisations looking to insure against residual cyber risks.
There has also been an increase in insurance policies now excluding cyber attacks from their general policies, and offering protection through standalone products. This case is interesting because Mondalez were not claiming under such a cyber insurance policy, but under their property insurance.
Cyber Attacks have been ranked by the UK government as a Tier 1 threat under their National Security Strategy. This ranks them alongside terrorism, natural hazards and major accidents. This suggests they could then be considered as ‘hostile or warlike actions’ in some cases.
Responsibility for protecting against cyber attacks still lies with organisations
Whilst the National Cyber Security Centre is working hard to counter such cyber attacks, the responsibility still lies with organisations to take steps to protect themselves. An Insurance company is unlikely to pay a claim for a stolen car if the keys were left in the ignition. As the insurance industry matures, they will also be unlikely to pay out on claims where companies have not taken steps to protect themselves from cyber attacks.
For example, a lack of regular patching of systems still remains a fundamental problem making systems more vulnerable to ransomware attacks such as NotPetya. Insurance companies may be less inclined to pay out on claims where basic housekeeping such as this has not been carried out.
Will insurance companies ask for evidence that technical and organisational controls are in place?
Insurance companies are now asking questions about what companies have in put place to protect against cyber attacks. Being able to demonstrate something as simple as the government backed Cyber Essentials or Cyber Essentials Plus may well become an basic requirement. Organisations may also be asked to provide external verification through regular vulnerability scanning and penetration testing.
The ICO is expecting organisations to implement ‘appropriate technical and organisational controls’ to protect personal data against such cyber attacks. They have created a detailed checklist to guide organisations through the steps they should take. This may well become the approach insurance companies take to make sure that ‘keys are not left in the ignition’ and sufficient steps have been taken to protect against attacks.
The BBC reported that the UK and US blame Russia for the NotPetya cyber attack so whether insurance companies succeed in using exclusions such as ‘warlike action’ to reduce claim payouts when these are considered to be state sponsored attacks will be interesting.