Time for Regulators to Take Cyber Insurance Seriously

Josephine Wolff
Tuesday, March 17, 2020, 3:30 PM

Cyber insurance has grown into a multibillion-dollar global business. Regulators need to start paying serious attention and resolve the lack of clarity surrounding policies.

Published by The Lawfare Institute
in Cooperation With
Brookings

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

In April 1997, Steven Haase and some of his colleagues in the insurance industry hosted a “Breach on the Beach” party at the International Risk Insurance Management Society’s annual convention in Honolulu to launch the first ever cyber-insurance policy, called the Internet Security Liability Policy. Haase had spent nearly two years trying to develop an insurance offering that would cover online security risks and threats, but only about 20 people showed up to his big launch. It would be years, still, before cyber insurance would generate sufficiently significant sales numbers to attract the interest of most major insurers and their customers. More than two decades later, cyber insurance has expanded into a multibillion-dollar global business, with 528 U.S. insurance firms reporting that they offered cyber-specific policies in 2018.

Yet, despite this rapid growth, cyber insurance has posed significant challenges for both the buyers and the sellers of these policies. In a market without standardized expectations for coverage, buyers often fail to understand exactly what types of incidents are covered. Meanwhile, given the incomplete and inconsistently collected data on cybersecurity incidents, insurers are often unsure how to model and price cyber risks, resorting to pricing policies based on the revenue and size of the firms they are selling to, rather than a meaningful assessment of those firms’ risk exposure and defense postures. And hovering over all those concerns about fine-tuning actuarial models and pricing is the fear that a large-scale cyberattack could affect so many customers simultaneously that insurers would be unable to pay out all the necessary claims. Unlike with, say, flood insurance or auto insurance, when it comes to anticipating cyberattacks, it is difficult for insurers to know how to assemble a diverse group of customers who will not all be victims of the same incident.

Perhaps the closest the cyber-insurance industry has come to dealing with such a large-scale attack that cut across victims in many different industries and countries was the NotPetya ransomware virus, which affected more than 80 companies worldwide during the summer of 2017. NotPetya, which was later attributed to the Russian government, exploited a vulnerability in the Microsoft Windows operating system to encrypt the contents of infected computers’ hard drives and demanded a ransom payment of roughly $300 worth of Bitcoin before it would turn the contents of the computers back over to their owners. One victim of the malware was multinational food company Mondelez International, which had to shut down 1,700 servers and 24,000 laptops because of NotPetya infections.

In the aftermath of the incident, Mondelez filed a claim with its insurer, Zurich Insurance, under its global property insurance policy, which covered “physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of a machine code or instruction.” Zurich initially agreed to pay out $10 million to Mondelez to cover its losses but then changed its mind and refused to cover any of the costs on the grounds that NotPetya was a “warlike action” perpetrated by a “government or sovereign power” and thereby excluded from its coverage. Mondelez filed a $100 million lawsuit against Zurich in January 2019 and the as-yet-unresolved case is just one of the latest in a series of cyber-insurance disputes going back a decade that highlight how complicated and confusing these policies have become as insurers and their customers pilot new products and wrestle with new threats.

In 2011, Sony’s popular PlayStation Network was compromised and hackers stole information about 77 million PlayStation users’ accounts. In the aftermath of that breach, as Sony patched the vulnerable software that had enabled the breach and dealt with numerous class action complaints, the company filed a claim with its insurer, Zurich American Insurance Company, under its commercial general liability policy. Zurich denied the claim, even though the policy included coverage of personal injury, specifically including “oral or written publication in any manner of the material that violates a person’s right of privacy.” Sony then sued Zurich in an attempt to force the insurer to cover some of its losses from the breach, and the case went to the New York Supreme Court. The court ruled in 2014 in favor of Zurich because the publication of material that violated people’s privacy was done by the hackers who stole the information—not Sony itself. “The third-party hackers took it. They breached the security. They have gotten through all of the security levels and they were able to get access to this,” Justice Jeffrey K. Oing wrote in the ruling. “[The policy] requires the policyholder to perpetrate or commit the act. It cannot be expanded to include third-party acts.”

Figuring out what does—and doesn’t—constitute cyber war or third-party acts is not the only challenge insurers and their customers have gone to court to resolve. In 2018, the National Bank of Blacksburg filed a lawsuit against its insurer, Everest National Insurance Co., after two cybersecurity incidents in 2016 and 2017 cost the bank $2.4 million. The incidents, believed to be perpetrated by Russian hackers, were initiated through phishing emails that were used to steal employee credentials. The hackers then used those credentials to withdraw money from hundreds of National Bank ATMs. National Bank filed a claim with Everest under its $8 million computer crime policy, but Everest denied the claim, saying that the incidents were instead an instance of credit and debit card misuse—a type of claim for which National Bank was covered only up to $50,000. This dispute gets at another challenge of cyber-insurance claims: Many cybersecurity incidents fall under multiple types of coverage because there are so many different kinds of cyber risk tied to so many different types of losses.

And even when insurers don’t dispute customers’ claims, cyber-insurance coverage can raise significant ethical concerns and present serious costs to society. For instance, last year, in the midst of a wave of ransomware attacks directed at city and local government systems, cyber-insurance coverage played a crucial role in enabling some victims to pay the demanded ransoms. Riviera Beach, Florida, paid a $592,000 ransom demand through its insurance policy, and Lake City, Florida, authorized a $460,000 ransom payment of which it was responsible for paying only $10,000 thanks to its generous insurance coverage. Their insurance may have saved the targeted cities money in the short term, but ultimately these payments to the criminals who targeted public infrastructure only fund and incentivize further cybercrime.

It is well past time for regulators to start paying serious attention to cyber insurance and helping resolve the lack of clarity surrounding these policies, concerns about the effects of catastrophic incidents, and the perverse effects of coverage that provides direct financial assistance to criminals and normalizes the payment of online extortion demands. The growing body of legal disputes around cyber-insurance claims, including those brought by Mondelez and National Bank, speak to the complexity of new cyber-insurance policies and the associated exceptions and overlapping coverage built into them. Carefully tailored, narrow policy measures could help strengthen, stabilize and support the development of cyber insurance moving forward.

At the federal level, the government should look into providing a clearer guarantee of support for carriers in the event of catastrophic cyber risks and a corresponding requirement that threats or attacks that do not meet this threshold may not be exempted from existing cyber-insurance policies as acts of war or terrorism. This will help reassure insurers about their ability to handle large-scale attacks while also clarifying for customers that they will not be denied coverage merely because they suffer a sophisticated or state-sponsored attack that affects many victims.

State regulators should help provide insurers with standardized templates and wording developed in partnership with the Insurance Services Office for designating which risks are and are not covered under their policies. This will further help clarify for customers what risks they are purchasing protection for and enable clearer comparison across insurance policies for brokers and insurance holders.

States should also consider requiring insurers to report aggregate claims data to state regulatory authorities on the correlations between different cybersecurity products, frameworks, and guidelines and claims data. This will help businesses, governments and researchers learn from the collected experience of insurers in trying to assess the effectiveness of different cybersecurity techniques, tools and services. It will also allow insurers to aggregate more data across their customer bases and develop stronger data sets to determine the cybersecurity best practices that yield better outcomes.

Finally, regulators should prohibit insurers from paying online extortion demands, including ransoms to recover files and infected systems. They should further limit how much insurance money can be put toward paying legal settlements and government fines for companies that experience cybersecurity breaches and are found to be negligent in their security practices by courts or regulators. This will prevent businesses from using cyber-insurance policies to insulate themselves from the direct costs of ransomware and other forms of online extortion and reduce the profits reaped by the criminals perpetrating these schemes. It will also force firms to more directly face the financial consequences of their security decisions and allow for lawsuits and regulatory investigations to serve as more effective deterrents of poor security practices.

Organizations increasingly rely on cyber insurance to help manage online risks. It is time for regulators to stop treating this market as a small, peripheral piece of the insurance industry and instead focus their attention on how they can help transform it into a more stable and effective tool for cybersecurity risk management.


Josephine Wolff joined the faculty of The Fletcher School as an assistant professor of cybersecurity policy in 2019. Her research interests include international Internet guidance, cyber-insurance, security responsibilities and liability of online intermediaries, government-funded programs for cybersecurity education and workforce development, and the legal, political, and economic consequences of cybersecurity incidents. Her book “You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches” was published by MIT Press in 2018. Her writing on cybersecurity has also appeared in Slate, The New York Times, The Washington Post, The Atlantic, and Wired. Her book "Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks" will be released by MIT Press in August 2022.

Subscribe to Lawfare