NOTOTPETYA IS A ugly name for the world’s most despicable computer attack. Embedded in harmless tax software, the virus, which the US government says bore the fingerprints of the Kremlin everywhere, hit Ukraine in June 2017, knocking out federal agencies, transportation systems, ATMs – even the radiation monitors at Chernobyl, the shell of a nuclear power plant.
Enjoy more audio and podcasts on iOS Where Android.
He then went rogue, sneaking from the computers of multinational corporations with local outposts in Ukraine to their global operations, causing collateral damage to victims ranging from Maersk, a huge shipping company, and Saint-Gobain, a French giant of construction, in Mondelez. International, owner of Cadbury chocolate. The total hit was estimated at $10 billion, making it the costliest such attack of all time. One of the costliest blows fell on Merck, a New Jersey-based drugmaker with a market value close to $200 billion, which lost 40,000 computers in the blink of an eye and was forced into a stop manufacturing its human papillomavirus vaccine.
Merck sought to cover its cyber losses with a $1.4 billion property insurance claim. However, his insurers refused to pay, citing a clause in the contract called war exclusion. This excludes coverage for military action by governments or their agents. The case ended in a New Jersey court. Years later, as Russian troops and cyber warriors once again threaten Ukraine, a judgment in this case offers a timely reason to explore what companies have learned since then about running a cyber- potentially catastrophic war. The short answer is: not enough.
The Merck judgment, made public last month, is potentially historic. It addresses a question of great importance in the context of modern belligerence: is cyber warfare a war? Merck insurers, including companies like Chubb, have argued that there is ample evidence that NotPetya was an instrument of the Russian government and part of the ongoing hostilities against Ukraine. In other words, it was an act of warlike behavior covered by the exclusion of war. The court, however, evaded the question of who was responsible for the assault. Instead, he said insurers had done nothing to change the wording of their contracts to suggest that the war exclusion included cyberattacks. He said it was reasonable for Merck to think the exclusion only applied to “traditional” warfare, i.e. tanks and troops, not worms, insects and to pirates.
This is not the final verdict. A similar wartime exclusion case involving Mondelez and its insurers is continuing in an Illinois court. But while this is a victory for Merck, it may be a Pyrrhic victory for businesses as a whole. Indeed, many insurers are now looking to strengthen policy wording to better protect against payouts related to state-sponsored cyber mischief. If a NotPetya-like virus were to originate from Russian warmongering in Ukraine and burrow into global supply chains, insurers are keen to limit their exposure to it. The consequences of this for victimized businesses could be severe.
Evidence suggests companies have a lot to worry about. Last year, a report by HP, a tech company, said state-sponsored attacks doubled between 2017 and 2020 and businesses were the most common targets. Increasingly, hackers’ weapon of choice is malware embedded in vendors’ software or hardware, which is particularly difficult for companies further up the value chain to detect. Unlike other cybercriminals, who attack and move on, states have strategic patience, plenty of resources, and are above the law within their own borders. They also cover their tracks well, so assigning blame for an attack can be particularly difficult.
Faced with this, the caution of the insurance sector is understandable. It is already facing an increase in ransomware demands from companies during the covid-19 pandemic, which is driving up the price of cyber insurance. The NotPetya attack revealed the risk of “silent cyber”, or unspecified cyber risk hidden in insurance contracts. These could pose a systemic risk to the industry in the event of a large-scale correlated attack. Partly in response to these threats, the Lloyd’s Market Association, an advisory group, recently released four model clauses for excluding war cover from cyber insurance policies. They make it easier for insurance companies to customize their exclusions and give them more clarity about which perils are covered and which are not. But they seem to protect insurers more than policyholders.
It is still an evolving market. Merck’s war exclusion judgment relied on case law handed down before cyber was even a word. The cyber insurance industry, while growing rapidly, is still small and immature. Eventually, actuarial techniques for assessing cyber risk will improve and the insurance industry will improve to require customers to introduce the cyber equivalent of fire alarms and sprinkler systems to minimize the danger. . For now, however, the risk of considerable confusion remains if anything close to cyber warfare were to break out.
Self-isolation
So what should companies do? A well-known checklist of security measures to implement includes things like two-factor authentication and prompt software updates, which help keep hackers at bay. Given the danger of infection throughout the supply chain, whether it is compromised hardware or software, companies must carefully assess their possible exposures: factories or offices located in remote locations, under contractors THIScloud computing and even cybersecurity itself.
Corporate boards need to have a better understanding of threat levels. As a former cyber spy put it, they need not just gender and racial diversity, but also technological diversity, in order to grill the company’s techs on cyber defenses. Additionally, they must recognize cyber warfare as one of the growing geopolitical risks facing businesses. Ensuring that one of a company’s touchpoints with Ukraine and Russia does not pose a vulnerability to the rest of its operations is the first of many steps it should take. ■
For more expert analysis of the biggest stories in economics, business and markets, sign up for Money Talks, our weekly newsletter.
Learn more about Schumpeter, our global trade columnist:
As its Arm sale plummets, the tide turns against SoftBank (February 12, 2022)
How Sony can make a comeback in the console wars (February 5, 2022)
Lakshmi Mittal transformed the steel industry. Will his son be able to start over? (January 29, 2022)
This article appeared in the Business section of the print edition under the headline “Cyber-rattling”