Malicious Life Podcast: What's the Problem with Cyber Insurance?

Thousands of companies are losing millions of dollars to cyber attacks. Insurance seems like an ideal solution to their woes - yet this kind of insurance is much less common today, than it should be. What's the problem with Cyber insurance?

 

Jeffrey-Smith-Photo-300x300
About the Guest

Jeffrey Smith

CYBER RISK UNDERWRITERS

Jeffrey Smith is the founder of Cyber Risk Underwriters, a specialty provider of cyber insurance and related products. In this role, Jeffrey created a business model to educate clients about the catastrophic nature of cyber security risks, generate alternative distribution channels for cyber insurance products, and create a brand reputation evolving around exposure analytics and custom program design.

Prior to joining Cyber Risk Underwriters, Jeffrey enjoyed over 25 years of success providing complex insurance and risk financing design, brokerage and relationship management expertise for large corporations, educational institutions, and not-for-profits. He has served many industry verticals including health care, technology, real estate and private equity.

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Malicious Life Podcast: What's the problem with Cyber Insurance? Transcript

They’ve got insurance for everything. You can get an insurance policy on your house, your car, everything else you own, your business and its employees, your health, your death. Just about anything of value that can be lost or damaged can be insured. It stands to reason, then, that computer systems–network infrastructure, physical machines and data–should also be insured in cases of loss or damage.

In past episodes of our podcast, we’ve told stories where huge amounts of money are stolen from private companies. There was Valve, which claimed to have lost 250 million dollars in revenue to a lone hacker, and Mt. Gox, which lost one million Bitcoin under their control. Target owed customers 18.5 million dollars in legal damages after their payment systems got hacked. In none of these cases had we mentioned–even thought to mention–that these companies could have, in theory, largely covered those losses, with one simple solution.

The solution is so simple, in fact, that we’re left asking: what’s wrong with cyber insurance, that it’s not much more prevalent in the world today?

Risk of Outbreak
Well, one obvious answer is that cyberspace is risky for insurance companies. Typically, cyber attacks don’t occur in a vacuum. When we talk about Equifax, or Target, or Mt. Gox on Malicious Life, we do so because these are outstanding stories, not the norm. Usually, hackers spread their attacks to hundreds, even thousands of victims. Think Gozi, or Conficker, or the Melissa virus. If an insurer had lots of clients under cyber policies during the Conficker outbreak, they’d have been on the hook for lots and lots of huge payments, all coming in at once.

And there’s a second problem. Say you’re an insurer, preparing a policy covering somebody’s car. You can estimate, with some certainty, how likely that person is to get into a car accident, based on his or her age, how many accidents they had before, what type of car they’re driving, and so on. And because every car accident imaginable has already happened a million times, there’s no claim this person could file that could really catch you off-guard.

Now imagine you’re preparing a policy covering a company’s IT infrastructure. How likely is it that those computers will be subject to harm? Well, you might consider the size of the company, the nature of their business, and so on. But there are lots more factors that aren’t so easy to estimate: not just how likely a cyber attack is, but how serious the damage would be should one occur. Cyber attacks vary wildly–a laced email opened by a secretary might download an unpleasant malvertising bug to their computer, or it might allow in a highly sophisticated virus that spreads throughout the company, burrows itself into every computer and corrupts the entire network along its way.

[Jeffrey] My name is Jeffrey Smith. My company is Cyber Risk Underwriters. We underwrite, distribute cyber insurance primarily to small to medium enterprise companies.

I met Jeffrey last August in Las Vegas, at Black Hat 2019, where he gave a talk about cyber insurance – the first of its kind in Black Hat’s history, actually

[Jeffrey] It’s new and it’s fun and it’s different. And I got to tell you, the people that I met at black hat and the security people that I met are so much more interesting than the insurance people that I deal with for the last – that was for the last 25 years. Low bar, OK? But fascinating because while I was studying insurance policies and reviewing claims and working with actuaries on developing loss forecast, these hackers I met, they were hacking in the AOL chat rooms. They are climbing telephone poles to eavesdrop on people’s conversations. They are breaking stuff. And they are so much more interesting and they are a lot of fun and the stories I hear were fascinating.

Surprisingly, when I asked him about the two challenges we noted – the risk of large scale malware outbreaks and the difficulty in assessing a company’s security posture – he didn’t seem too worried. In fact, he had good answers to both questions. First, the risk of a large scale outbreak.

[Jeffrey] Well, insurers are clever about managing their portfolio. They buy reinsurance and the re-insurers buy reinsurance. And so ultimately, the risk is spread across. That’s the concept of insurance is to spread the losses of a few among the many.

And as for assessing the strength of a potential client’s cyber defenses, it turns out that insurers have ways of mitigating risk for themselves, while offering helpful services to their customers both before and after a hack has occurred.

[Jeffrey] So the underwriting process actually can act as a check and balances or an outside perspective on a firm’s security posture. So in that process, there’s an assessment, a lot of the new insurers are actually using hacking tools like pen testing to do assessments and they come back with recommendations. The coverage is of an insurance contract once policy is issued, there are two – there are three primary components of the policy. There are first party coverages. There are third party coverages. And then most importantly in my opinion, there are services that are provided, and these services are something that differentiates cyber insurance from other types of insurance like property insurance or liability insurance.

[Ran] What kind of services for example?

[Jeffrey] For example, first party insurance, and I don’t like the terms first party and third party because it sounds like a middle grammar class and it confuses a lot of people. So the way I put it is first party coverages are for your staff so that you would include, you have a breach, you have to have what we call a breach coach, somebody who you call who has been in crisis before and knows how to manage them, PR people, notifications, you will have specific lawyers who have expertise in cyber insurance and legislation litigation and they will tell you immediately if you have notification requirements in the state that you’re in, if you have HIPAA issues or other regulatory issues, reporting issues that you have to accommodate.

Jeff is emphasizing the benefits these services have to his clients, and everything he’s saying is true. But it’s also true that these services help the insurers too.

It’s difficult to know how secure a company is against cyber attacks. Even the employees and executives at most companies tend to not have a clue. It’s the reason why corporations keep getting hacked, year after year, usually by adversaries far smaller and less-well-resourced than they are. No insurer in their right mind could learn about the Target hack, the Equifax hack, Mt. Gox, Ashley Madison, Saudi Aramco, the DNC, or NASA without worrying about what entering this kind of market would do to their bottom lines.

So they prepare against such cases, by conducting their own testing and assessing their new clients’ security posures. By the end, both parties have a better understanding of what risks that client faces. If the tests yield cautionary results, the client will warrant a more expensive policy. Additionally, by providing lawyers, coaches and PR teams, the insurer can feel safe in the knowledge that the potential damages caused by a data breach would be mitigated to the fullest extent possible. This helps the client avoid headaches, and helps the provider save on payouts.

These protective measures go some way to making the market viable, for both sides involved. But we still haven’t answered our main question: if insurers have ways to mitigate their risk, why isn’t cyber insurance taking off?

Data Valuatin
Well, there’s another issue that insurers have to account for: data valuation. It’s simply not that easy to assign dollar values to digital information.

It’s easy to insure a house or a car, because such things are appraised. A house bought for 300,000 dollars five years ago is probably worth somewhere around 300,000 dollars in value today. But how much is someone’s phone number worth? Or ten million people’s phone numbers? Or a set of metadata on how ten million people interacted with your app with their smartphones over the past six months?

These are tough questions, true, but frankly – even with more straightforward forms of insurance we run into similar issues. There are items that hold more value to their owner than they would an insurer, like a family heirloom, or a picture book. Luckily, insurance has been around for quite awhile. Disaster after disaster, case after case, lawsuit after lawsuit, we’ve come up with a set of norms and standards for how things should be covered. So…Maybe cyber insurance isn’t more complicated, it’s just less familiar. Maybe the market as a whole is still not experienced enough to have good answers to all the complicated edge cases we’re likely to encounter. As decades pass, and each new cyber catastrophe feels a little bit less unprecedented than the last, these rules will start to work themselves out. Or so you’d think.

The Experience Paradox
We’re talking about cyber insurance like it’s a new thing, when it’s not. It’s newer than most other types of insurance, but the industry’s been around more than a few years already.

[Jeffrey] Well, I’ve been in the insurance business about 20 plus years. And cyber insurance started to get some traction. The product has been around for about 20 years but it really started to get a lot of traction probably about 10 years ago.

There have already been cases, disasters, and lawsuits surrounding the cyber insurance industry. And yet, paradoxically, as the industry has developed, it hasn’t established much faith in the wider community. I mentioned earlier that Jeffery’s talk in Black Hat 2019 was the first of its kind. That’s because in earlier events, the organizers rejected offers from people in the insurance industry to speak at the conference.

[Jeffrey] Well, it’s funny. One of my co-presenters had made submissions to black hat I think on five separate occasions, and each one was rejected. And one of them, the rejection letter that I guess black hat used to give you an explanation, the rejection letter said, “Not at black hat. That’s interesting but not at black hat.” […] And I think the push back was for two reasons. One, I think a lot of the CISOs were concerned that their efforts could be replaced by a cheap insurance policy. [. . .] I think that was an issue. And then they would – you would see headlines about some isolated claims denials.

Jeff’s argument about CISOs may or may not be accurate, but his second point–about the kinds of headlines that cyber insurance stories sometimes receive–is interesting. In the course of our conversation at Black Hat, Jeff brought up one case in particular that ruffled a few feathers a year or two ago. It concerned Mondelez International, a food and beverage company from the suburbs of Chicago. You may not be familiar with the name Mondelez, but you’ve almost certainly consumed their product: Oreos, Chips Ahoy, Triscuits, Cadbury, Toblerone, Halls, to name a few.

Mondelez & NotPetya
Typically, cyber insurance doesn’t make headlines. Mondelez was the exception to the rule.

In the summer of 2017, a particularly nasty virus visited computers around the world. It was called NotPetya.

NotPetya was a more powerful, more destructive variant of Petya, a ransomware program first spotted in the wild one year prior. The original Petya spread through infected email attachments. When it arrived on a computer, it would trigger a restart. Once restarted, the program prevented Windows from booting back up. Instead, it displayed a screen demanding a ransom be paid out in Bitcoin, or else the computer would remain encrypted and unusable.

Petya was bad, but its successor was much worse. NotPetya was similar to Petya, but equipped with new exploits like EternalRomance and EternalBlue—two leaked Windows exploits developed by the NSA. The exploits took advantage of zero-day vulnerabilities in Windows computers, allowing NotPetya to spread over networks without participation from any human hand. This wasn’t the only thing that made it dangerous, though.

The first Petya encrypted a computer’s master boot record, preventing it from starting up. Every infected machine was delegated a unique code, which could be used to identify who paid their ransom. So if I, Ran, was infected with Petya, and I paid the ransom, I could say “Hi hackers, here’s the money you asked for, my ID is xxxxx, please unlock my computer.”

NotPetya kept Petya’s ransom notice, but the codes it gave each machine were randomly generated. So if I paid off my hackers, they’d have no means of connecting my payment with my computer. Even worse, NotPetya encrypts all kinds of files past the master boot record, and does it so poorly that those files become damaged beyond repair in the process. So I’ve paid the hackers thousands of dollars worth of Bitcoin; in return, my computer remains completely unusable, and even if the malware did go away, my system would probably be ruined anyway.

This was the virus that struck Mondelez International in 2017. It happened right in the middle of a workday. Computers froze while employees were using them. Email, access to files and all kinds of internal cyber infrastructure was blocked. A few weeks, and over 100 million dollars later, the company finally got back to working order.

Mondelez Vs. Zurich Insurance Group
The one positive that could be spun from Mondelez’s financial nightmare was that they’d owned an insurance policy covering their cyber assets. This, they figured, would transform a financial catastrophe into an inconvenient time sink. They filed a claim with their insurer, Zurich Insurance Group.

Initially, everything seemed fine. Then on June 1st, 2018, one year after the attack, Zurich sent a letter in response to Mondelez‘ claim. In it, it denied any responsibility to pay Mondelez for their incurred damages. This was confounding to many, considering the stated benefits in Mondelez’s policy. According to court filings, quote:

The Policy provides annual coverage […] for “all risks of physical loss or damage” to MDLZ’s property, specifically including “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction …. “

The Policy also specifically provided other types of coverage. including but not limited to “TIME ELEMENT” coverage, including for “Actual Loss Sustained and EXTRA EXPENSE incurred by the Insured during the period of interruption directly resulting from the failure of the Insured’s electronic data processing equipment or media to operate” resulting from malicious cyber damage.

In other words, Mondelez was entitled to compensation in proportion to all damages and losses to their cyber valuables, as well as the time they lost trying to get back to normal operations. Every computer destroyed by NotPetya, all the data lost, all the time wasted, was supposed to be covered under their policy. And yet, Zurich was claiming no responsibility. Their argument cited a strange kind of loophole common around the insurance industry: the war exclusion.

The War Exclusion
Mondelez’ policy included the following provision, quote:

This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following […] a) hostile or warlike action in time of peace or war, […] including action […] by any: (i) government or sovereign power (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.

In plain English: Mondelez had a right to coverage, but not if their attackers were a government or military entity.

The war exclusion is not specific to cyber insurance. If my house accidentally burns down, I’m entitled to compensation from my insurance provider. But if my house burns down because a nuclear bomb strikes the city I live in, my insurer will not cover my losses. It sounds unfair, but it’s understandable: they probably have tens of thousands of other clients in the same city, and not enough money to pay us all at once.

In theory, the rule is smart. But Zurich Insurance Group was now claiming that this provision–meant to protect against war, revolution, nuclear bombs–was relevant to the case of a cookie company. Their reasoning rested on a series of statements, released by Western governments in mid-February 2018, ascribing NotPetya to the Russian military.

If NotPetya was a Russian military operation, does that necessarily mean it constituted an act of war? The question has a few levels to it. For one thing, the intelligence that led the White House to blame Russia’s military has not been made public–we have to trust the government’s word on it.

But let’s take that as a given. Even if Russia did build NotPetya, they didn’t actually aim it at the United States. It was released on the eve of Ukraine’s Constitution Day holiday, and around four out of every five infections occurred in Ukraine. European and American victims appear to have been merely collateral damage. (In fact, NotPetya hit some Russian computer systems, too. Clearly its spread was not particularly well-controlled.)

The third thing to consider is whether a ransomware-style cyber attack actually constitutes a war or warlike action. How many times on Malicious Life have we told stories of Russia, China, the U.S., all hacking one another? And yet you wouldn’t say these nations are at war. Even Russia and Ukraine aren’t, technically, at war with one another.

All these factors would suggest NotPetya wasn’t a warlike attack, at least as it pertained to Mondelez. Still, the language in Mondelez’ insurance policy was vague: it classified, quote, “hostile or warlike action in time of peace or war,” end quote, by any government or military entity, as uninsurable.

Was NotPetya “hostile?” Well, sure, every cyber attack is hostile.

Bad Press
When press got wind of the Mondelez case, reporters largely used it as evidence to why cyber insurance isn’t worth it. Take The New York Times as an example, and their headline, quote: “Big Companies Thought Insurance Covered A Cyber Attack. They May Be Wrong.” To Jeff, this interpretation misses the mark.

[Jeffrey] So the press says, “Cyber insurance doesn’t pay because their claim was denied.” What the press doesn’t understand, most people don’t understand, is that this company did not purchase cyber insurance. They did not purchase a standalone cyber insurance policy. They purchased a property insurance policy that had a cyber – a component of cyber coverage in it.

So one of the confusing aspects of cyber insurance is that there is overlap, so there can be a little bit of coverage in a property policy, there can be a little bit of coverage in a crime policy, but the coverages are exceptionally limited and they are usually really in small amounts. Anyhow, so there has been a lot of press about Mondelez in particular. And so, people are looking at that and saying, “See, cyber insurance doesn’t pay.” But what they don’t really understand is that this company apparently did not buy a cyber insurance policy.

What Jeffery is saying, basically, is that cybersecurity is just–excuse my sophisticated terminology here–weird. Data is complicated to get a handle on. Security is tough to evaluate. And because of that, clients should invest in dedicated cyber insurance, instead of cyber insurance that comes bundled in with other property insurance. The distinction Jeff’s making here isn’t necessarily obvious, so I’ll explain it with an analogy.

Have you ever bought one of those 2-in-1 shampoo-conditioners, or an all-purpose cleaning spray from the convenience store? They sound great, in concept, but have you ever actually used them? They’re not that great, usually.

Property insurance is kind of like an all-purpose cleaner. It sounds like a perfect solution for all your cleaning needs, and for many of them—dirty countertops, tabletops, et cetera—it is. But an all-purpose cleaner is probably not going to clean a window as well as a window cleaner would, or an oven as well as an oven cleaner. Likewise, a property insurance policy with a cyber component is probably not going to address all potential cyber risks and damages like a dedicated cyber insurance policy could. A comprehensive, dedicated cyber insurance plan will probably be more detailed, and thorough, and it will have been written by people who understand information technologies better than an ordinary insurance underwriter would.

In an email follow-up to our interview, Jeffery expanded on this view, writing, quote:

This dispute [The Mondelez dispute – R.L] is actually a validation of the importance of stand-alone cyber insurance. [. . .] While cyber coverages can overlap with other business insurance policies (most notably Crime, Property, and K&R) that often provide some limited coverage for cyber events, none are specifically designed to respond to all consequences of a breach such as this one. Cyber insurance policies contain war exclusions but the exclusion does not (should not) apply to cyber terrorism. We are not aware of any cyber policies that declined to pay NotPetya claims. Cyber insurers did not view NotPetya as an act of war as defined in their policies so cyber insurance covered it.

This isn’t to say that Zurich was innocent in what it did. Rather, according to Jeff, it’s that Mondelez would have been less-easily screwed over had they invested in a dedicated cyber policy. He used the comparison of another NotPetya victim, Merck & Co., a pharmaceutical company. Merck, like Mondelez, is currently in litigation with an insurer that provided them with property insurance. However, Merck also possessed dedicated cyber insurance. Their cyber insurance providers have paid, in full, all the expected recovery costs associated with what was lost and damaged by NotPetya.

Recall the question we’re trying to answer: why does cyber insurance seem useful, yet receive little attention in the IT industry? I think we have an answer. The existing insurance policies are not always the policies the clients really need. According to Jeff, it is only by investing with insurers dedicated to cyber insurance specifically that you can feel comfortable that you won’t be…well, Mondelez’d.

The Industry is Learning
Cyber insurance may be a few decades old, but it certainly still feels new.

[Jeffrey] Jeffrey Smith: the take-up rates, meaning that the amount of companies that actually buy cyber insurance is growing at a pretty good clip. I would say that still overall, probably less – certainly, less than 50% of companies do purchase standalone cyber insurance.

[Ran] So a lot of space to grow.

[Jeffrey] A lot of space to grow. I think particularly in the small to middle market enterprise space, it’s probably maybe 35% actually buying a standalone cyber insurance policy. But the trend is moving up. I think ultimately that not unlike property insurance, liability insurance, worker’s comp insurance, crime insurance, I think ultimately in sooner than we think, cyber insurance will be a standard part of business insurance portfolio.

There are still major questions to be answered before cyber insurance can be considered as reliable as other, more common forms of insurance. These questions are being litigated in courts today. Mondelez and Zurich are currently embroiled in their battle over 100 million dollars, and the outcome of the case will likely set a precedent for many future cases to come.

In the meantime, insurers are trying to learn from their past mistakes, and update their offerings to reflect demand, and more accurately address the peculiarities of the IT space.

[Jeffrey] some of the early policies were poorly written. And so you had …

[Ran] What does it mean poorly written?

[Jeffrey] Poorly written, that means they had some exclusions or coverage limitations that are no longer in the policies today that created some denial claims.

[Ran] Can you give examples?

[Jeffrey] Sure. Two examples, one was a healthcare system called Cottage Healthcare. They are a mid-size healthcare system in California. They had an attack, a cyber event, and a lot of files were exposed. They went and filed a claim against the cyber insurance policy head. I think this was like 2012. And the claim is denied. And the reason the claim was denied was because there was a maintenance condition in the policy. The insured indicated that they, I think in this instance, it was – they update a patch – I think it was a patching issue. And when they filed the claim, they didn’t realize that they had – that was a warranty basically that they had to continue to patch.

[Ran] But because the client didn’t patch, the claim was denied.

[Jeffrey] Exactly. The claim was denied.

[Ran] And you think that was a mistake from the insurer’s angle?

[Jeffrey] I think everybody is learning as they go. And I think early on, it gets back to the underwriting issue. We don’t know what we don’t know. And so early on, the insurers look at that and say, “OK, if you are patching actively, that’s a good thing for us and we are going to give you rate credit,” in theory.

[Ran] So you need to – we want to encourage the clients …

[Jeffrey] So you’re saying that you’re updating your patches all the time then we are going to write you. So there are no maintenance conditions in the policies today. They’ve all been taken out.

The second one and one of the more noteworthy examples is P. F. Chang’s. So P. F. Chang’s got hit. They had a big breach, exposed a lot of credit card records. There was a lot of fraud and whatnot with those credit cards. And there is this PCI DSS penalties, most security people are familiar with, and they are penalties that are included in merchant services agreements for credit card companies between credit card companies and vendors.

So in the agreements in this instance, P. F. Chang’s agreed that if there was an event and it was their fault then they agreed to compensate, in this example, I think it was Bank of America, for card re-issuance expenses, any fraudulent claims, and then there are actually additional fines and penalties in the contract.

Bank of America came back to P. F. Chang’s and said, “Hey, where is our 2 million bucks?” So P. F. Chang’s said, “OK, let’s write a check for 2 million bucks. We got cyber insurance. We are good.” They went back to cyber insurer and presented the claim and cyber insurer said, “There is no coverage in this because we exclude contractual liability.” So that …

[Ran] That’s 2 million now they didn’t get to reimbursed.

[Jeffrey] That’s correct. And that was not a particularly great moment in cyber insurance because people would expect those things to be covered. So now, there is specific coverage grants for PCI DSS liability.

[Ran]So you’re saying that the industry learned, learned its lessons from past failures with customers.

[Jeffrey] That’s correct.

It’s going to be a gradual coming-of-age for cyber insurance. But maybe in the next few decades, after Mondelez invents the quintuple-stuffed Oreo, long after the Malicious Life podcast has passed on to the other side, it will become as ubiquitous as property, liability, and the other pillars of the insurance world.

Eventually, it will have to be that way. Both sides–companies and insurers–have an incentive to make this thing work. We’ve just got a few kinks to figure out along the way.