The U.S. government blames North Korea for the attack on Sony. If true, the data heist could be in a major gray area between cyber risk and terrorism.
Cyber insurance policies tend to have vague or ambiguous language regarding acts of war or terrorism. A claim resulting from an attack by North Korea, or a self-proclaimed Islamic caliphate, would likely result in a legal battle over whether such a cyber risk is covered.
The first test cases have yet to make their way through the court system, but there's little doubt they're coming soon.
In the insurance industry, the Sony case sounds an alarm about a new source of risks to cybersecurity. Instead of criminals looking for credit card numbers — like the data breaches that cost tens of millions of dollars last year for The Home Depot and Target Corp. — terrorists and foreign governments are hacking computer systems for ideological or political motives.
The concept is new at a time when cyber coverage is still in its early stages.
"This is like insuring aircraft in 1915 — there's a lot more that we don't than we do know at this point," said Robert Hartwig, an economist and president of the Insurance Information Institute, an insurer-funded research organization. "And I think part of this involves developing expertise, developing databases that help us understand the nature of these attacks."
Insurers have kept pace with the rapid changes in technological risks since cyber insurance established critical mass in 2005, said Robert Parisi, national cyber risk product leader for the insurance brokerage Marsh.
But they've proceeded cautiously.
The broad language some insurers use in excluding certain risks is likely to lead to ambiguity that requires either arbitration or a legal fight. For example, some policies have exclusions for an "act-of-war" or "warlike activity."
"I could see where, at some point, that's where the coverage may start to get stressed, but, at the moment, at least our position here is that war is one nation declaring war legally and formally against another," Parisi said. "Absent of that, we don't even begin to discuss the exclusion."
Some cases of cyberterrorism are a far cry from one nation formally declaring war on another, but may still lead to a dispute about insurance coverage.
"In recent years, we have seen attacks from hacktivist groups, such as Lulszec and Anonymous, and it is believed that the U.S. Government has classified these hacktivist groups as terrorist organizations," insurance broker Christine Marciano and attorney Paul Ferrillo of Weil, Gotshal & Manges LLP, wrote in November for the Harvard Law School Forum on Corporate Governance and Financial Regulation.
"This can further complicate cyber insurance claims, which can be denied in the event such hacktivist groups are classified as terrorist organizations, and are identified as the cause of your company's cyber attack or data breach," Marciano and Ferrillo wrote.
In a phone interview, Marciano said language in most policies is very vague at this point. Some policies are clearly defined, but the definitions of a terrorist or an act-of-war are likely to be challenged when a business files a claim, she said.
Large businesses have the advantage of employing brokers, attorneys and risk managers to negotiate insurance-policy terms and minimize gaps in coverage. But small and mid-size businesses are more likely to buy off–the-shelf coverage. And exclusions in those off-the-shelf policies for damage caused by terrorism and war is a huge concern, Marciano said.
"Sony really rocked the boat with most cyber carriers not even thinking about something like that," said Marciano, president of Cyber Data Risk Managers, a brokerage specializing in cyber insurance in Princeton, N.J.
Evolving Cyber Policies
So, if cyber insurance doesn't necessarily cover damage caused by terrorists, or acts of war, would terrorism insurance do the job?The short answer is that terrorism-insurance policies aren't designed to protect against the types of losses that would result from a cyber attack.
Terrorism policies are generally written to include property damage and loss of life — the type of damage caused by an explosion, or other standard examples of terrorism, said Hartwig, president of the Insurance Information Institute. Generally speaking, terrorism policies might also cover workers' compensation; directors' and officers' liability; aviation; marine.
Cyber policies were designed to match specific risks, which are outside the scope of terrorism insurance.
Standard cyber policies could include coverage for customer-notification expenses; credit monitoring and identity theft monitoring; privacy and security liability; business interruption; cyber extortion; hacker damage costs; privacy regulatory defense and penalties; computer forensics investigation; and a privacy attorney, according to Marciano and Ferrillo.
If a cyberterrorism attack led to an explosion at a nuclear power plant, that damage would be covered by terrorism insurance, Hartwig said. But many other costs associated with a data breach or a cyber attack are not. To a large degree, terrorism policies are governed by language in the Terrorism Risk Insurance Act (TRIA), a federal government backstop for private insurers. TRIA got a lot of attention recently because Congress allowed it to expire Dec. 31 before reauthorizing it this month.
Damages resulting from a cyber attack, such as theft of intellectual property, theft of confidential information, reputation risk, lawsuits, the cost of fines and penalties, notification to customers after a breach — all of it is far beyond the scope of TRIA, Hartwig said.
In lieu of coverage through terrorism insurance, a business that gets hacked will have to hope the attack is covered as part of its cyber insurance. If there is a dispute about whether the hack was caused by a terrorist group, it's likely to result in a legal battle.
"We are seeing the claims come in on cyber policies now. … We are seeing the disputes arise," said Roberta Anderson, a partner attorney in the Pittsburgh office of K&L Gates LLP. Anderson is a member of the law firm's global insurance coverage practice group and a co-founder of its cyber law and cybersecurity practice group.
"Now, it takes awhile," she said. "Many of these policies, like other policies, are subject to arbitration … but many are not. It's still relatively new, but certainly in the coming years we're going to start seeing the disputes make their way through the courts."
Hartwig, of the insurance institute, said: "It would be preferential for it to simply be worked out in the market with language worked out between insurers and their clients, and brokers."
"The least desirable way is for it to be worked out in the courts," he said, adding that the law tends to side with policyholders.
'Exposure Is Enormous'
Expensive, high-profile attacks in the past two years highlight the reason businesses need some type of cyber coverage.For example, The Home Depot Inc. estimated in September 2014 a total cost of $62 million to investigate a data breach, provide credit monitoring services to its customers, increase call-center staffing, and pay legal and professional services. Home Depot expected $27 million to be covered by insurance. In August 2014, Target Corp. said the company's expenses related to a 2013 data breach totaled $148 million — of which $38 million was expected to be covered by insurance.
Cyber coverage has developed since early policies were available in 1999, when businesses were concerned about widespread computer failures related to the change from 1999 to 2000, dubbed Y2K or the Millennium Bug. Stand-alone cyber coverage became more widespread about 10 years ago.
If a business had a general liability policy, it might have been enough to protect the company against lawsuits stemming from a cyber attack in the early 2000s. At some point in the relatively recent past, the frequency and staggering costs associated with cyber attacks led to insurance companies' specifically excluding cyber coverage, according to many in the insurance industry.
In general, property-casualty insurance companies initially react to new risks, like cyber attacks, by excluding them from standard property-and-liability coverage, said Gerry Finley, senior vice president of casualty underwriting and underwriting services for Munich Re America.
"And when that happens, that opens the door for very specific coverages to be developed," Finley said. "You could actually go back all the way to the environmental issues: pollution in the '80s, when it first emerged as a risk that wasn't contemplated, to the extent that it emerged. Then you saw exclusions being broadened, and that gave rise to a whole environmental liability marketplace."
Cyber differs from pollution because of its prevalence — almost everyone has a computer, a tablet or a smartphone, he said. Additionally, the economy has become so reliant on people staying connected through the Internet.
"The extent of the exposure is enormous," he said.
Furthermore, cyber risk is different because of its complexity as technology changes rapidly, which is a major challenge to company risk managers who have the task of buying adequate insurance to protect a business against all possible damages.
As in the early days of any insurance coverage, cyber policies and terms are a mixed bag regarding what is covered and to what degree. Insurers offer cyber coverage in different ways.
In the case of Sony Pictures Entertainment, the FBI insists North Korea was responsible for the attack, but some cyber experts have disagreed. In the Sony case, a group calling itself "Guardians of Peace" claimed responsibility for destroying some Sony systems and stealing large quantities of personal and commercial data. Guardians of Peace issued threats against Sony, its employees, and theaters that distribute its movies, according to the FBI.
Sony Pictures Entertainment did not respond to inquiries about its insurance coverage, and whether it will cover lost revenue resulting from extortion last month.
©2015 The Hartford Courant (Hartford, Conn.)