Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday February 18 2019, @08:36AM   Printer-friendly
from the GIMO:-Garbage-in-Money-out dept.

Picked via cryptogram, with the original here

...with reliance on all things digital skyrocketing, cyber threats now pose grave, even existential, dangers to corporations as well as the entire digital economy. In response, companies have begun to develop a cyber insurance market, offering corporations a mechanism to manage their exposure to these risks. Yet the prospects for this market now seem uncertain in light of a major court battle. Mondelez International is reportedly suing Zurich Insurance in Illinois state court for refusing to pay its $100 million claim for damages caused by the 2017 NotPetya attack.

Mondelez's claim represents just a fraction of the billions of dollars in collateral damage caused by NotPetya, a destructive, indiscriminate cyberattack of unprecedented scale, widely suspected to have been launched by Russia with the aim of hurting Ukraine and its business partners... According to reports, Zurich apparently rejected Mondelez's claim on the grounds that NotPetya was an act of war and, therefore, excluded from coverage under its policy agreement. If the question of whether and how war risk exemptions apply is left to the courts to decide on a case-by-case basis, this creates a profound source of uncertainty for policyholders about the coverage they obtain.
...
Many hurdles stand in the way of insurance providing a more robust solution. Data on cyber risks are scarce, and the threat is evolving constantly, often rendering data obsolete before they can be used. That means actuaries lack a credible repository of information to accurately price cyber risk. Moreover, NotPetya and other attacks with cascading effects have reinforced fears of aggregation risk, meaning the potential for a single incident to cause simultaneous losses across multiple policyholders. If Zurich had underwritten even a handful of the major corporations disrupted by the attack, it could have faced catastrophic losses from just one incident. This is a particularly acute concern for reinsurers—companies that provide stop-loss coverage, or protection against unsustainably costly claims, to other insurers—making both reinsurers and primary cyber insurance providers naturally hesitant to support more extensive cyber underwriting. The lack of adequate reinsurance backing means that carriers may become overwhelmed with claims if a systemic cyber incident causes simultaneous losses across many policyholders.


Original Submission

Related Stories

Was It an Act of War? That’s Merck Cyber Attack’s $1.3 Billion Insurance Question. 24 comments

The Insurance Journal is asking if the NotPetya Windows worm was an act of war. If so, that would change any potential obligations carried by insurance policies towards claimants, in this case Merck & Co. NotPetya took over Windows computers in 2017 but was apparently originally intended to target Ukrainian Windows computers. The rest of the Windows computers may have just been collateral damage.

By the time Deb Dellapena arrived for work at Merck & Co.’s 90-acre campus north of Philadelphia, there was a handwritten sign on the door: The computers are down.

It was worse than it seemed. Some employees who were already at their desks at Merck offices across the U.S. were greeted by an even more unsettling message when they turned on their PCs. A pink font glowed with a warning: “Ooops, your important files are encrypted. … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment …” The cost was $300 in Bitcoin per computer.

The ransom demand was a ruse. It was designed to make the software locking up many of Merck’s computers—eventually dubbed NotPetya—look like the handiwork of ordinary criminals. In fact, according to Western intelligence agencies, NotPetya was the creation of the GRU, Russia’s military intelligence agency—the same one that had hacked the Democratic National Committee the previous year.

In all, the attack crippled more than 30,000 laptop and desktop [Windows] computers at the global drugmaker, as well as 7,500 servers, according to a person familiar with the matter. Sales, manufacturing, and research units were all hit. One researcher told a colleague she'd lost 15 years of work. Near Dellapena's suburban office, a manufacturing facility that supplies vaccines for the U.S. market had ground to a halt. "For two weeks, there was nothing being done," Dellapena recalls. "Merck is huge. It seemed crazy that something like this could happen."

Earlier on SN:
Windows 7 and Server 2008 End of Support: What Will Change on 14 January? (2020)
Cyber Insurance claims NotPetya was an act of war (2019)
Original Petya Master Decryption Key Released (2017)


Original Submission

How a Russian Cyberwar in Ukraine Could Ripple Out Globally 53 comments

How a Russian cyberwar in Ukraine could ripple out globally:

The knock-on effects for the rest of the world might not be limited to  intentional reprisals by Russian operatives. Unlike old-fashioned war, cyberwar is not confined by borders and can more easily spiral out of control.

Ukraine has been on the receiving end of aggressive Russian cyber operations for the last decade and has suffered invasion and military intervention from Moscow since 2014. In 2015 and 2016, Russian hackers attacked Ukraine's power grid and turned out the lights in the capital city of Kyiv— unparalleled acts that haven't been carried out anywhere else before or since.

The 2017 NotPetya cyberattack, once again ordered by Moscow, was directed initially at Ukrainian private companies before it spilled over and destroyed systems around the world.

NotPetya masqueraded as ransomware, but in fact it was a purely destructive and highly viral piece of code. The destructive malware seen in Ukraine last week, now known as WhisperGate, also pretended to be ransomware while aiming to destroy key data that renders machines inoperable. Experts say WhisperGate is "reminiscent" of NotPetya, down to the technical processes that achieve destruction, but that there are notable differences. For one, WhisperGate is less sophisticated and is not designed to spread rapidly in the same way. Russia has denied involvement, and no definitive link points to Moscow.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Monday February 18 2019, @09:03AM (1 child)

    by Anonymous Coward on Monday February 18 2019, @09:03AM (#802852)

    (Something extremely nasty) Molendez!! They are corporate pirates who make promises and then backstab. One example is the Cadbury's debacle in New Zealand - (google it) - but that is only one of many such tricks they have perpetrated around the world. They deserve no mercy, no insurance money and should be boycotted wherever possible. Sadly they also sucked up Toblerone into their galactic chocolate empire :( ..but I can survive without Toblerone if I have to.

    • (Score: 0) by Anonymous Coward on Monday February 18 2019, @10:36AM

      by Anonymous Coward on Monday February 18 2019, @10:36AM (#802896)

      They are corporate pirates who make promises and then backstab.

      That's so ironic. Molendez was just saying the same thing about Zurich Insurance. Someone pop in the Atlantis Marmoset cassette ...

  • (Score: 4, Insightful) by Runaway1956 on Monday February 18 2019, @09:05AM (7 children)

    by Runaway1956 (2926) Subscriber Badge on Monday February 18 2019, @09:05AM (#802853) Journal

    Virtually all insurance policies have an "act of war" get-out-of-jail-free clause. No matter what happens to a client, if the insurance company can blame it on a war, the insurance company doesn't have to pay. I'm sure there are exceptions besides the insurance sold to recruits in boot camp. I can't think of any, offhand.

    Bottom line, if you're paying insurance premiums to cover your data, then the insurance company should pay you when your data is lost. Doesn't matter if Russians did it, or Martians, or the kid down the street.

    • (Score: 1, Insightful) by Anonymous Coward on Monday February 18 2019, @09:44AM (3 children)

      by Anonymous Coward on Monday February 18 2019, @09:44AM (#802870)

      Bottom line, if you're paying insurance premiums to cover your data, then the insurance company should pay you when your data is lost.

      Whoever is offering insurance against data loss is a fool and worth bankruptcy.
      It is so much easier to arrange for it than an arson or a suicide; plus it can be arranged let so little traces that the deniability is plausible.

      Either the 'insured' has proper backups and security setup (and thus survive with at most a day worth of lost data - in which case why should it pay insurance premiums?) - or it is too risky to insure.
      Look, none of the stock exchanges suffered because of NotPetya, so it is possible to do it.

      • (Score: 2) by Runaway1956 on Monday February 18 2019, @10:00AM (1 child)

        by Runaway1956 (2926) Subscriber Badge on Monday February 18 2019, @10:00AM (#802880) Journal

        You nailed it with "too risky to insure". My point is, if the insurance company wrote the policy, and accepted payment, then the insurance company needs to pay off. It's not OUR fault that some insurance company failed to assess the risks.

        • (Score: 5, Interesting) by canopic jug on Monday February 18 2019, @10:21AM

          by canopic jug (3949) Subscriber Badge on Monday February 18 2019, @10:21AM (#802890) Journal

          The answer is that they're not allowed to properly assess the risks when it comes to deployed software. Remember almost 20 years ago when this kind of insurance was just starting to rear its head? The premiums for M$ products were much higher than for the better designed software.

          That's what looks like happened here with NotPetya [wired.com]. What we see is probably an extension of that, the M$ products are in practice "too risky to insure" but no one, and certainly no corporation, is allowed to say that directly. Thus they try to get out of paying a different way. The whine we hear in response is that no system is absolutely secure. Of course they aren't. However, there is a world of difference in levels of vulnerability and repercussions from eventual compromises. The result, all those years ago, was that insurers were forced not to price against M$ products and to find other ways to weasel out of paying.

          --
          Money is not free speech. Elections should not be auctions.
      • (Score: 3, Interesting) by janrinok on Monday February 18 2019, @10:16AM

        by janrinok (52) Subscriber Badge on Monday February 18 2019, @10:16AM (#802888) Journal

        Look, none of the stock exchanges suffered because of NotPetya, so it is possible to do it.

        You're probably correct, but it might only mean that nobody has found any evidence that the stock exchange or company software has been compromised. It doesn't prove that it hasn't happened though.

    • (Score: 2) by Hyperturtle on Monday February 18 2019, @03:55PM (1 child)

      by Hyperturtle (2824) on Monday February 18 2019, @03:55PM (#803003)

      Ding! I'd come into the comments to write the same thing if someone didn't beat me to it.

      Act of War, Act of God--these terms can broadly include a whole lot of exclusions when there is no agreed upon definition of what constitutes digital warfare and how to prove it, or when the accepted 100 year flood plains are suddenly experiencing floods every 5 years and no one wants to be responsible to revise them for any reason, because it means more payouts no matter what happens. It used to be so much easier to simply take peoples money with a low chance of payout.

      Now because Cloud (in the sky or on the line), I expect that there'll be as many excuses as they can get away with before some sort of onerous regulation is required when self-policing only yields repeatedly getting out of jail for free for the insurance companies.

      (If it could somehow be blamed on squirrels, everything would get paid, I am sure...)

      • (Score: 2) by All Your Lawn Are Belong To Us on Monday February 18 2019, @04:12PM

        by All Your Lawn Are Belong To Us (6553) on Monday February 18 2019, @04:12PM (#803015) Journal

        Actually, the most clever act on the part of insurance companies is how they got acts of terrorism blanketly defined as acts of war. I'm not fully sure if I agree with it, but this article [mackenzieinstitute.com] was interesting reading. The point is that while War has historically been reserved for state actors working against other entities (states, nations, etc), this also gives an out because if terrorism is an act of war instead of a crime then all it takes is having terror motivations behind hacking to give the insurance company an out.

        In this case if it really is a state actor doing the damage we as a society have allowed it as a defense by blindly accepting terms like "cyberwarfare" to become part of the lexicon without challenge. And not entirely without justification and, as usual, the U.S. certainly has virtual cyber-blood on its hands as well (Stuxnet... anyone want to defend that its deployment was *not* an act of war by a state actor? Just one that is still deniable. Even if it worked out well for the U.S. and Israel?)

        And yes, it shows that "cyber insurance" isn't worth it, because we're worried about the end product of the threat and not the cause. (Not entirely unlike floods being disallowed from homeowners policies).

        --
        This sig for rent.
    • (Score: 1, Insightful) by Anonymous Coward on Monday February 18 2019, @03:59PM

      by Anonymous Coward on Monday February 18 2019, @03:59PM (#803005)

      No matter what happens to a client, if the insurance company can blame it on a war, the insurance company doesn't have to pay.

      They will have to pay if a court determines they have to.

  • (Score: 3, Insightful) by Lester on Monday February 18 2019, @10:23AM (4 children)

    by Lester (6231) on Monday February 18 2019, @10:23AM (#802891) Journal

    What a surprise!!

    An assurance company making up excuses for not paying

    • (Score: 0) by Anonymous Coward on Monday February 18 2019, @10:40AM (3 children)

      by Anonymous Coward on Monday February 18 2019, @10:40AM (#802897)

      What a surprise!!

      An assurance company making up excuses for not paying

      I assure you that you've got a typo in your post ;-)

      • (Score: 0) by Anonymous Coward on Monday February 18 2019, @12:55PM

        by Anonymous Coward on Monday February 18 2019, @12:55PM (#802919)

        I *think* you'll find that the company provided assurances, but now does not follow through, so the "typo" may be right. (I'm a different AC)

      • (Score: 2) by sjames on Monday February 18 2019, @07:11PM

        by sjames (2882) on Monday February 18 2019, @07:11PM (#803101) Journal

        Merriam-webster [merriam-webster.com] assurance definition 3c:

        chiefly British : INSURANCE

      • (Score: 2) by arulatas on Tuesday February 19 2019, @03:13PM

        by arulatas (3600) on Tuesday February 19 2019, @03:13PM (#803481)

        Please view the following at your leisure

        https://www.youtube.com/watch?v=5_IuuQZ0IO8 [youtube.com]

        --
        ----- 10 turns around
(1)