Cyber Lessons for the Insurance Industry Continue Three Years After NotPetya

August 12, 2020 by

This summer marks three years since the NotPetya malware attack, which has been called the most devastating cyber attack in history. While cyber experts say cybersecurity and prevention strategies have since evolved in many ways, they also warn another crippling attack is never far off.

“We’re always one attack away from another market-wide event,” said Conan Ward, president of MGA/MGU Operations at QOMPLX, a Reston, Va.-based intelligence data analytics company that specializes in insurance and cybersecurity.

The NotPetya malware attack that began in Ukraine in June 2017 ultimately caused more than $10 billion in damage and wreaked havoc on major companies, including shipping company Maersk and pharmaceutical company Merck, which respectively lost up to $300 million and $870 million, according to reports.

What Cyber Insurance Industry Learned from 2017 HacksCyber experts say a lack of experience and data are behind the industry’s under-preparedness in a constantly evolving cyber risk environment.Was It an Act of War? That’s Merck Cyber Attack’s $1.3 Billion Insurance Question.Merck estimated initially that the malware did $870 million in damages. It was stunned when most of its 30 insurers and reinsurers denied coverage because the policies specifically excluded an act of war.
U.S. Says Russia to Blame for NotPetya Cyber AttackThe U.S. statement cane after the British government attributed the attack to Russia, a conclusion already reached by many private sector cyber security experts.Reinsurers Look at Cyber’s Massive Growth Possibilities—With CautionReinsurers admit they are sometimes challenged to close the protection gap for new and emerging risks such as cyber.

“The NotPetya attack dramatically highlighted the potential for systemic vulnerabilities, and how it can have a major financial impact on the global economy,” said Oliver Brew, head of client services at cyber insurance analytics company, CyberCube.

Not only that, but the attack also illustrated ambiguities in cyber insurance policies, fueling the conversation around silent versus standalone cyber in a quest for greater clarity, according to Brew.

“The attack acted as a catalyst for regulators to increase scrutiny on the issue,” he said.

Silent cyber refers to potential cyber exposures contained within traditional property and liability insurance policies which may not implicitly include or exclude cyber risk, according to insurance broker Marsh’s website. This has led to a lack of clarity in some cases regarding how cyber events are covered under various insurance policies, such as property policies, cyber experts said.

Standalone cyber insurance, on the other hand, refers to a dedicated cyber insurance policy that can be purchased separately by insureds and has been touted by the insurance industry as a product providing greater coverage clarity.

“There is a fundamental difference between dedicated cyber policies and this idea of either silent cyber or partial coverage grants,” Ward said. “What NotPetya really laid bare was this idea that if you’re selling a half-baked cyber coverage grant inside of some other policy, you’re playing with fire. And if you’re an insured, you’re not buying a product that’s fit for purpose.”

Ward said it is the responsibility of insureds to understand their cyber risk and purchase a product that best fits their needs.

“What I think you saw with NotPetya is that people were not buying enough [dedicated cyber] because they had this sort of half-baked, silent cyber grant in other policies,” he said. “Buyers don’t want to have to pay for dedicated cyber coverage, but at the same time, they’re not buying the right tool for the right job. A cyber grant inside of a property policy doesn’t do the kinds of things you need it to do.”

With this in mind, he added the onus is on buyers to buy an appropriate amount of limit in considering what an artisan level attack could do to their business.

“It’s not as simple as getting a cyber write-back in all of the policies you already buy,” he said.

At the same time, he said it’s on the insurance industry to fully understand the cyber insurance market and the cyber products it is offering to clients.

“I think the industry learned a valuable lesson [from NotPetya], which is, at least to a degree, don’t cover something like cyber that you really don’t understand,” he said. “I think we as an industry have a history of doing that. We want to provide super broad coverage thinking we’re helping, and the reality is, we don’t always understand the ripple effects involved.”

‘Acts of War’ and Standalone Cyber

In the case of Merck for example, most of its 30 insurers and reinsurers denied coverage under the company’s property policies for damage resulting from NotPetya even though the policies provided $1.75 billion worth of coverage for catastrophic risks including the destruction of computer data, coding and software, Bloomberg reported. This is because Merck’s property policies specifically excluded acts of war, Bloomberg’s report stated.

“Everyone fundamentally understands why you would exclude war in a property policy,” Ward said. “It’s a systemic risk that no company could hope to cover.”

Fueled by the need for coverage limits that adequately cover increasingly sophisticated cyber incidents, such as NotPetya, the insurance market has since begun to shift toward standalone cyber policies, said Caroline Thompson, head of underwriting at cyber insurance provider Cowbell Cyber.

“When cyber attacks started to evolve and use technology to execute an attack by a person or group that was associated with a government or organization, it created a need for cyber terrorism to be explicitly covered under a [standalone] cyber policy,” she said, adding that “at Cowbell Cyber, we strongly believe that only standalone cyber insurance can provide a detailed and precise definition of what the policy intends to cover, which ultimately results in higher policyholder satisfaction and a smoother claim process.”

Pandemic Cyber Risk

With NotPetya still fresh in the insurance industry’s rearview mirror, Brew agreed that cyber coverage is constantly evolving to keep pace with emerging areas of risk. He pointed to what’s happening now with the COVID-19 crisis as one major example.

Indeed, in an interview for Insurance Journal TV, Scott Fouts, vice president of Hub International’s Risk Services division, stated that with many companies’ employees working remotely due to the ongoing pandemic, “the likelihood of having a cyber attack right now is pretty high.”

He said companies can combat this heightened cyber risk by ensuring they have a good IT team in place, their technological infrastructure is set up correctly, and security measures are in place to educate employees and respond if an incident does occur.

“I think there’s probably a little bit of false security working from home,” Fouts said.

This, coupled with the fact that attackers are using increasingly sophisticated methods, has created a greater risk environment for a large attack, Ward said.

“The broad [attack] methods are largely the same, but the tools they use are changing all the time. Artisan-level malware is now in the hands of a ton of attackers,” he said.

Brew said the insurance industry can prepare by supporting clients to improve proactive risk mitigation strategies, develop realistic disaster scenario frameworks to understand the implications and manage capital to address exposures and maintain a sustainable market.

Looking forward, Thompson added that cyber insurance offerings should be built using data, artificial intelligence and continuous underwriting that ingests new data in real time and rapidly responds to today’s ever-changing threat landscape.

“At this stage of maturity in the cyber insurance market, open communication and transparency are critical to support a healthy growth of the cyber insurance market,” she added.

Most of all, she emphasized that it is important for insurers to understand the cyber risks related to their insureds.

Because, she said, “there is always going to be another attack.”

[inline-ad-2]