In this article, we’ll outline why, particularly given the current climate, war exclusion clauses are increasingly rendering ransomware insurance of reduced value – and why your organization should focus on protecting itself instead.
What is ransomware insurance
In recent years, ransomware insurance has grown as a product field because organizations are trying to buy protection against the catastrophic effects of a successful ransomware attack. Why try to buy insurance? Well, a single, successful attack can just about wipe out a large organization, or lead to crippling costs – NotPetya alone led to a total of $10bn in damages.
Ransomware attacks are notoriously difficult to protect against completely. Like any other potentially catastrophic event, insurers stepped in to offer an insurance product. In exchange for a premium, insurers promise to cover many of the damages resulting from a ransomware attack.
Depending on the policy, a ransomware policy could cover loss of income if the attack disrupts operations, or loss of valuable data, if data is erased due to the ransomware event. A policy may also cover you for extortion – in others, it will refund the ransom demanded by the criminal.
The exact payout and terms will of course be defined in the policy document, also called the “fine print.” Critically, fine print also contains exclusions, in other words circumstances under which the policy won’t pay out. And therein lies the problem.
What’s the issue with fine print?
It’s understandable that insurers need to protect their premium pools against abuse. After all, it’s easy for an actor to sign up for insurance not because they are seeking protection, but because they already have a claim in mind.
Fine print isn’t necessarily a bad thing, it’s a way for both parties to define the terms of the agreement so that everyone knows what’s expected, and what they’re entitled to. Within ransomware insurance, the fine print would make some reasonable requests.
For example, your policy will require you to make minimum efforts to protect your workload against ransomware. After all, it’s reasonable to expect that you take precautions around an attack. Similarly, you will probably find a notification clause in your contract that requires you to notify your insurer about the attack within a minimum timeframe.
Another common exclusion is war-related, where insurers retain the right to refuse to pay out on a claim if the damage was as a result of war, or war-like actions. It’s this fine print that is currently causing concern, for three reasons.
The complexity of war exclusions
When one nation-state turns on another, cyberwarfare can be used to inflict damage outside of the usual realm of war. Cyberwarfare can be incredibly indiscriminate, the parties affected are not necessarily government organizations – it could be a business that’s caught in the crossfire.
Insurers have valid reason to try and exclude this massive level of exposure. However, there are a couple of problems. Defining a war is the first issue – when does an act of aggression qualify as a war-related activity? Another difficulty is attribution because cyber attackers generally try their best to disguise themselves – it is uncommon for an attacker to openly declare their involvement in an attack.
When an organization suffers from a ransomware attack, how does the insurer – or the claimant – prove that a specific organization was behind an attack, and by consequence, what the motivation for the attack was – e.g. war? How do you find out at all? Finding hard proof or indeed any proof behind attribution is very challenging.
Just think back to how many times ransomware attacks are said to be perpetrated by “<insert state name here> groups”. It doesn’t (shouldn’t?) mean state-sponsored actors are behind the attack but it’s often so hard to pinpoint the origin of the attack that any actor is to blame and it’s usually very hard or even impossible to prove otherwise.
And here’s the thing. Claims under ransomware insurance won’t be small – ransom demands are commonly in the millions, while damages could be as much as a billion dollars. Out of understandable self-interest, insurance companies will try to find any grounds possible to refuse to pay a claim.
It’s no wonder then that these claims are commonly contested – in court.
It may just end up in court
When there’s a disagreement about an insurance claim, the claimant would typically turn to the courts. The outcome of these cases are uncertain and it can take a long time to find a resolution. One example is Merck’s case against Ace American insurance. The case referred to the NotPetya attack where in June 2017 Merck suffered a major intrusion which it took months to recover from, and which the company estimated cost it USD 1.4bn.
However, when the company tried to claim on its USD 1.75bn “all-risk” insurance policy, Ace American initially refused to pay the claim, arguing that it was subject to an “Acts of War” exclusion clause. It based this claim on the fact that NotPetya was deployed by the Russian government in an act of war against Ukraine.
The claim ended up on court a short while later, but it took over three years for the court to come to a decision – ruling in Merck’s favor on this occasion, stating that Ace American, like many other insurers, has not sufficiently changed the wording in its policy exclusions to ensure that the insured – Merck – fully understood that a cyberattack launched in the context of an act of war would mean that the policy coverage is not valid.
Protecting yourself is your first priority
The insurance industry knows, of course, that there is a lack of clarity. In a recent major step the Lloyd’s Market Association, a membership network of the influential Lloyds of London marketplace, published a set of clauses that its members could include in the terms and conditions of cyber insurance products.
These clauses would supposedly make a better effort at excluding war-related cybersecurity breaches. But, again, there may be some points of contention – with attribution being the biggest concern.
That said, there’s an increasing likelihood that any ransomware insurance you subscribe to may not pay out when you need it most – particularly when taking today’s heightened global security environment into account.
It doesn’t mean that cybersecurity insurance has no role to play, depending on the premiums and level of cover it may well be an option. But it’s an option of last resort: your own, internal efforts to protect your IT assets from attack remains your first line of defense – and your best bet.
The best insurance: a firm cybersecurity posture
As mentioned before, any ransomware insurance policy will have minimum cybersecurity requirements in place – conditions you need to meet to ensure your policy pays out. This might include things like regular, reliable backups as well threat monitoring.
We’d like to suggest that you go further and truly maximize the protection you put in place across your technology estate. Get in place additional layers of protection, specifically a live, rebootless patching mechanisms like TuxCare’s KernelCare Enterprise, or Extended Lifecycle support for older systems that are no longer officially supported. Doing so helps address the issue.
No solution can provide you with airtight security, but it can help you towards a goal of reducing risk windows to the absolute minimum which is as close as you can get. Taking the maximum actions in terms of protecting your systems will help ensure that you avoid a situation where you get an unpleasant surprise: like finding out that your insurance is not covering your data loss.
So yes, by all means, take out insurance to cover you as a last resort. But ensure you do everything you can to protect your system using all available tools.