SBN

Cyberwarfare—Yes? Cyber Insurance—No!

Just when you think that
you are covered, you discover that you may not necessarily be protected by your
cyber insurance. That was the startling message in an article by Adam Satariano
and Nicole Perlroth with the title “Cyberattacks Reveal an Insurance Gray Area”
in the SundayBusiness section of The New York Times of April 21, 2019.
The online version of the article, dated April 15, 2019, with the title “Big
Companies Thought Insurance Covered a Cyberattack. They May Be Wrong,” is at https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html?searchResultPosition=1

As you can read in the
article, whether a claim is accepted or not might depend on the definition of
cyberwarfare. And insurance companies refuse to pay out, under the so called
“war exclusion,” if they consider a cyberattack—even one that is not
specifically aimed at the subject organization—to be an act of war, as they
have apparently done in the cases of Mondelez and Merck, which were attacked by
the NotPetya malware, which ravaged international business (including a Russian
oil company!) in the summer of 2017. There is an excellent article by Andy
Greenberg, dated August 22, 2018, with the title “The untold story of NotPetya,
the most devastating cyberattack in history.” The article describes in detail
the events of the attack. It is available at https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

There has been a
long-standing issue as to what constitutes “cyberwarfare.” I discussed the
matter in my BlogInfoSec column of June 20, 2011 (yes, 8 years ago) with the
title “Against All Enemies.” I was responding to an Op-Ed column by Richard
Clarke in The Wall Street Journal of June 15, 2011.

The remaining questions
are: What constitutes cyberwarfare? Who decides whether a particular cyberattack
is an act of war or not? What is a justifiable response to such acts?

It seems that we still do
not have a generally-accepted definition of cyberwarfare. This should come from
governments and should be internationally supported—not from insurance
companies. Yes, there will always be issues of attribution, but those exist in
the physical world also, as discussed in my June 2011 column. So far as
responses are concerned, insurance companies can deny claims, as they have,
under the war exclusion, where litigation becomes the final arbiter. But what
about governments and the military? How do they respond when attribution is so
nebulous? Good questions all. But we seem to be as far from the answers as
ever.


*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2019/05/06/cyberwarfare-yes-cyber-insurance-no/