Tag Archives: cyber-terrorism

Has an International Cyber War Begun?

Cyber attacks were once on the periphery of American business consciousness. That mindset changed over the past two years. A series of devastating events, including the 2014 cyber attack against Sony, catapulted cyber liability concerns from an IT department issue to a major priority for boardrooms across America. As U.S. government officials concluded that North Korea was behind the attack, many C-suite executives suddenly found themselves asking questions. Is this the start of a cyber war? Could we be the next victim? If we are, how will it affect our operations and our bottom line? Do our insurance policies cover any of these costs?

g1

Today, many insurance buyers look to their cyber insurance policies to fill coverage gaps that often exist in other policies. For example, a property policy may respond to physical damage from a named peril, but it will likely exclude loss for non-tangible assets as a result of a cyber attack. Similarly, a commercial general liability policy will likely provide liability coverage for causing bodily injury because of negligence but exclude coverage for liability because of a failure to secure sensitive data from hackers.

Many policyholders may be unaware that some, though not all, of these cyber policies contain specific terrorism and war exclusions. As a result, gaps in cyber insurance coverage can exist in cases like the Sony breach, where government agencies, like the FBI, conclude that a foreign government or terrorist organization is responsible for the attack.

Is a Cyber Attack “Terrorism” or “War”?

Immediately following the Sony attack, President Obama referred to it by saying, “I don’t think it was an act of war . . . but cyber vandalism.” Then, on April 1, 2015, President Obama signed the Executive Order on Cybersecurity with the goal of protecting the private sector against hackers and thereby bolstering national security. The order seeks to identify and punish individuals behind attacks, but it could also lead some to categorize an apparent hacking event or act of cyber terrorism as an “act of war.”

Changes in government definitions trickle down into coverage disputes because many policies that exclude or include “war,” “terrorism” or “cyber terrorism” either fail to define those terms or define them by referring to standard government definitions.

Government Definitions of Terrorism, Cyber Terrorism and War

THE TERRORISM RISK INSURANCE ACT (TRIA)

“Act of terrorism” is defined as any act certified by the secretary of the Treasury in concurrence with the secretary of State and the attorney general of the U.S. to be:

» an act of terrorism

» a violent act or an act that is dangerous to human life, property or infrastructure

» an act resulting in damage within the United States or Outside (on a U.S.-flagged vessel, aircraft or U.S. mission)

» an act committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an effort to coerce the civilian population, U.S. policy or the U.S. government.

The secretary of the Treasury may not delegate his certification authority, and his decision to certify an act or not is not subject to judicial review.

DEPARTMENT OF DEFENSE (DOD)

The DOD defines “terrorism” as “the unlawful use of violence or threat of violence, often motivated by religious, political or other ideological beliefs, to instill fear and coerce governments or societies in pursuit of goals that are usually political.” The term “act of war” is understood to mean “a use of force [that may] invoke a state’s inherent right to lawful self-defense.”

DEPARTMENT OF JUSTICE (DOJ)/FEDERAL BUREAU OF INVESTIGATION (FBI)

The FBI defines “cyber terrorism” as “the premeditated, politically motivated attack against information, computer systems, computer programs and data [that] results in violence against non-combatant targets by subnational groups or clandestine agents.”

DEPARTMENT OF HOMELAND SECURITY (DHS)

The National Infrastructure Protection Center (NIPC), (formally a branch of DHS), defines “cyber terrorism” as “a criminal act perpetrated through computers resulting in violence, death and/or destruction and creating terror for the purpose of coercing a government to change its policies.”

Cyber Terrorism and the ‘Act of War’ Exclusion

Cyber policies are relatively new and manuscript products; as such, the wording varies significantly. Many policies contain a standard exclusion for “war, invasion, acts of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power, confiscation, nationalization, requisition, or destruction of, or damage to, property by or under the order of any government, public or local authority…” An attack by the Taliban, for example, would probably fit within the exclusion as an act sponsored by a “public or local authority.”

Traditionally, war exclusions were relatively narrow; they required an actual war or, at the very least, “warlike operations”; “for there to be a ‘war,’ a sovereign or quasi-sovereign must engage in hostilities.” Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 1005 (2d Cir. 1974) (finding that a Jordanian terrorist group that hijacked a plane was not a de facto government for the purposes of applying the war exception).

However, the events of Sept. 11, 2001, changed the way certain events and groups were perceived and classified, ultimately leading many to label the 2014 cyber attack on Sony an “act of war.”

Screen Shot 2015-12-22 at 1.53.07 PM

Litigation surrounding the Sept. 11 attacks led directly to an expanded view of the war exclusion. For one thing, the Second Circuit Court of Appeals ruled that the attacks were an “act of war.” In re Sept. 11 Litig., 931 F. Supp. 2d 496, 512 (S.D.N.Y. 2013), an owner of a building near the site of the World Trade Center attacks sought to recover cleanup and abatement expenses for removing pulverized dust that infiltrated into the owner’s building after the collapse of the Twin Towers. He sued under the Comprehensive Environmental Response, Compensation, and Liability Act [CERCLA], which allows strict liability claims in pollution cases, but the court applied CERCLA’s “act of war” exception to strict liability.

In concluding that the attacks were an act of war, the court commented that “Al Qaeda’s leadership declared war on the United States, and organized a sophisticated, coordinated, and well-financed set of attacks intended to bring down the leading commercial and political institutions of the United States,” id. at 509, and that “as we learned in the twentieth century, and as has been true throughout history, war can take on a formal structure of armies in contrasting uniforms confronting each other on battlefields, and war can persist for years, fought by irregular, insurgent forces and capable of causing extraordinary damage,” id. at 511.

This expansion of the legal definition of “act of war” to include acts by “irregular, insurgent forces and capable of causing extraordinary damage” could lead to attacks by hacktivist groups or foreign intelligence services being considered acts of war and therefore excluded from cyber policies.

Cyber Insurance and TRIA

The Terrorism Risk Insurance Act (TRIA) is a government program designed to provide a backstop for reinsurers in the event of large terrorism-related losses (more than $100 million). There is debate over whether TRIA applies to cyber policies at all. TRIA applies to commercial property and casualty insurance coverage, but some cyber policies are written as another line of coverage, such as professional liability, which is not included in TRIA.

Even assuming that TRIA would apply to cyber insurance, for TRIA coverage to be in effect, (1) there must be losses, resulting from property damage, exceeding $100 million; and (2) they must be caused by a certified terrorism event:

(1) Property Damage: For TRIA to apply, physical property damage must occur, and what constitutes “physical damage” in the context of a cyber attack remains an open question. What we do know is that TRIA will probably not cover business interruption or reductions in business income absent some physical loss or property damage. Many cyber attacks do not involve any physical damage, which would exclude TRIA coverage.

(2) A Certified Terrorism Event: For TRIA to apply to any event, the event would need to be certified as an act of terrorism. This onerous and political certification process requires the secretary of the Treasury, secretary of State and attorney general to agree that an incident was an “act of terrorism.” Many political and economic issues factor into certifying a terrorism event, which can lead to counterintuitive results. For instance, as of the date of this publication, the April 2013 Boston Marathon bombing has not been certified as a terrorist act.

Conclusion

To ensure coverage for cyber terrorism and cyber warfare, buyers of cyber insurance will need to seek out a cyber risk insurance policy that explicitly includes this coverage in the broadest terms possible. As more insurance carriers enter the cyber insurance market, one must be wary that policy terms will vary from one policy form to the next, and some will have coverage terms superior to others.

Terrorism Risk: A Constant Reminder

With just months to go until the year-end 2014 expiration of the government-backed Terrorism Risk Insurance Program Reauthorization Act (TRIPRA), the debate between industry and government over terrorism risk is intensifying.

The discussion comes in a year that marks the one-year anniversary of the Boston Marathon bombing—the first successful terrorist attack on U.S. soil in more than a decade. The April 15, 2013, attack left three dead and 264 injured.

Industry data shows that the proportion of businesses buying property terrorism insurance (the take-up rate for terrorism coverage) has increased since the enactment of the Terrorism Risk Insurance Act (TRIA) in 2002, and for the last five years has held steady at around 60% as businesses across the U.S. have had the opportunity to purchase terrorism coverage, usually at a reasonable cost.

However, should TRIPRA not be extended, brokers have warned that the availability of terrorism insurance would be greatly reduced in areas of the U.S. that have the most need for coverage, such as central business districts. Uncertainty around TRIPRA’s future is already creating capacity and pricing issues for insurance buyers in early 2014, reports suggest.

New Aon data show that retail and transportation sectors face the highest risk of terrorist attack in 2014. Both sectors were significantly affected in 2013, as highlighted by the Sept. 21, 2013, attack by gunmen on the upscale Westgate shopping mall in Nairobi, Kenya, as well as the Boston bombing.

The vulnerability of the energy sector to a potential terrorist attack has also been highlighted following an April 2013 assault on a California power station when snipers took down 17 transformers at the Silicon Valley plant.

The Boston Marathon attack—twin explosions of pressure cooker bombs occurring within 12 seconds of each other in the Back Bay downtown area—adds to a growing list of international terrorism incidents that have occurred since the terrorist attack of Sept. 11, 2001, and highlights the continuing terrorism threat in the U.S. and abroad.

Following 9/11, the 2002 Bali bombings, the 2004 Russian aircraft and Madrid train bombings, the London transportation bombings of 2005 and the Mumbai attacks of 2008 all had a profound influence on the 2001 to 2010 decade. Then came 2011, a landmark year, which simultaneously saw the death of al-Qaida founder Osama bin Laden and the 10-year anniversary of the Sept. 11 attacks.

While the loss of bin Laden and other key al-Qaida figures put the network on a path of decline that is difficult to reverse, the State Department warned that al-Qaida, its affiliates and adherents remained adaptable and resilient and constitute “an enduring and serious threat to our national security.”

A recently published RAND study finds that terrorism remains a real—albeit uncertain—national security threat, with the most likely scenarios involving arson or explosives being used to damage property or conventional explosives or firearms used to kill and injure civilians.

The Boston bombing serves as an important reminder that countries also face homegrown terrorist threats from radical individuals who may be inspired by al-Qaida and others, but have little or no actual connection to known militant groups.

In a recent briefing, catastrophe modeler RMS assesses that the U.S. terrorist threat will increasingly come predominantly from such homegrown extremists, who because of the highly decentralized structure of such “groups,” are difficult to identify and apprehend.

Until the Boston bombing, many of these potential attacks had been thwarted, such as the 2010 attempted car bomb attack in New York City’s Times Square and the attempt by Najibullah Zazi to bomb the New York subway system.

Other thwarted attacks against passenger and cargo aircraft indicate the continuing risk to aviation infrastructure. The investigation into the March 7, 2014, disappearance of Malaysia Airlines flight 370 over the South China Sea aircraft with 239 passengers has raised many concerns over the vulnerability of aircraft to terrorism.

RECENTLY THWARTED TERRORIST ATTACK ATTEMPTS IN THE U.S.
Source: Federal Bureau of Investigation (FBI); various news reports; Insurance Information Institute

Counterterrorism success in 2011 came as a number of countries across the Middle East and North Africa saw political demonstrations and social unrest. The movement known as the Arab Spring was triggered initially by an uprising in Tunisia that began back in December 2010. Unrest and instability in this region continues in 2014 and has spread to other parts of the world with violent protests seen most recently in Ukraine, Venezuela and Thailand.

Another evolving threat is cyber terrorism. The threat both to national security and the economy posed by cyber terrorism is a growing concern for governments and businesses around the world, with critical infrastructure, such as nuclear power plants, transportation and utilities, at risk.

All these factors suggest that terrorism risk will be a constant, evolving and potentially expanding threat for the foreseeable future.

For the full report on which this article is based, click here.

Am I Covered For Cyber-Terrorism?

Are you covered for cyber-terrorism? If you have not purchased Cyberliability insurance, the answer is likely no. A General Liability policy needs bodily injury, property damage or possibly an advertising injury to respond. Property insurers don't view data as tangible property, and a property policy needs a peril like wind, fire or hail to respond to a loss. Crime policies cover embezzlement by employees. In the event of a cyber-terrorism loss, you can look to all of these policies for coverage, but there is only one policy that is designed specifically for this type of exposure — Cyberliability.

The next question is, what constitutes cyber-terrorism? When you think of activities committed by a terrorist, your first thoughts might be actions that lead to death or destruction of property. There are other ways terrorists can inflict harm, including through electronic means.

Below are scenarios that might be covered by a properly structured Cyberliability policy:

Sadly, the array of bad things for a terrorist to try extends far beyond the items listed above. They are out there working on ways to cause mayhem without leaving the comfort of wherever they may call home.

  1. Hackers funded by a foreign government get into your insured's network and cause private information to be leaked into the public domain.
  2. Hackers funded by a hostile party hijack an insured's network and computers and use them to cause a denial of service attack against other third parties, who then sue the insured for not preventing such an event.
  3. Unnamed hackers from a foreign nation deliver a virus to an insured's network and wipe out 30,000 company laptops causing a business interruption loss.
  4. Foreign-sponsored hackers launch denial of service attacks at everyone in the insured's industry in retaliation for some action taken by our own government. The business interruption may be covered, as well as a security breach arising from the attack.
  5. Hackers penetrate the control system for a manufacturing client's assembly line and prevent them from producing their product.
  6. Hackers replace a client's website with offensive or politically motivated content that causes people to sue for emotional distress, libel or slander.
  7. Hackers penetrate an insured's network and threaten to release private records or intellectual property.

To most insurers, it won't matter who is behind the security breach. The hackers can be foreign-sponsored, the kid next door, a disgruntled former employee or an organized crime gang. Coverage should apply regardless of who funded the attack. Cyberliability insurance policies are there to respond to liability claims arising from a security breach as well as some first-party expenses. There are also policies that include coverage for data restoration expenses and business interruption losses.

You probably won't see a policy that states, “You are covered for cyber-terrorism;” however, you should look for any definition of what constitutes a hacker. We have yet to see any definition that differentiates between prankster hackers, criminal hackers, political hackers, organized crime hackers or any other group. It is in the policyholder's favor that the definition isn't limited by a detailed description.

Most policies will be silent regarding the origin of the network attack; it remains your responsibility to be vigilant for any terrorism exclusion as well as acts of war exclusions. If you have been reading the newspapers lately, you have seen articles alleging that other nations have sponsored network attacks against companies and defense contractors in the United States. Some of those alleged foreign nations include Iran, China and North Korea. Our government hasn't classified those as acts of war, but at some point those actions could be deemed a precursor to war. A declaration of war usually requires a vote by Congress, which could take months, meaning that an insurer would likely have to wait to respond until the point a formal declaration of war is made. Insurers aren't intending to cover an aspect of war between two countries, but if an insured's computer network is collateral damage, they should provide coverage for the damages and liability.

A commonly asked Cyberliability question concerns the theft of intellectual property by a foreign nation, company or other party. Unfortunately that first-party loss is not contemplated in current Cyberliability insurance policies. There are intellectual property policies out there designed to defend and enforce patents, but it can be challenging to prove who took the information and how to find them. Those policies usually respond to claims once a competing product with the same or similar design(s) is sold on the open market. The theft of digital blueprints may not be enough to trigger these policies. There are also issues regarding the enforceability of intellectual property rights outside the United States.

A quick search of our major metropolitan newspapers shows that a number of industries are in the sights of a variety of hacker groups. The current list of primary targets includes financial institutions, power companies and defense contractors. In light of these ongoing activities of terrorists and state-sponsored hackers, it remains a good time to look at Cyberliability insurance. Your clients may not specifically be targeted by cyber-terrorists, but their network could suffer collateral damage or be used to inflict damage upon others.