Tag: cyber risks

Cyber warfare: Are you protected?

Beware of the war exclusions!

Following the Lloyds Performance Management Supplemental Requirements & Guidance, published July 2020, all insurance and reinsurance policies written at Lloyd’s must exclude all losses caused by war and nuclear, chemical, biological or radioactive risks (NCBR), except in limited circumstances.[1] This reinforces the exclusion of war and NCBR in hull and cargo and most cyber policies. Both cyber  security data and privacy breach (CY) and cyber security property damage (CZ)[2] polices are among the exempted class of business which would be allowed to write war risks. However, when writing these cyber policies, the terms and scope of the cover must be unambiguously stated. If there is an extension of the policy to include war, that extension must not override any NCBR exclusions contained within the cyber policy. It is customary to follow local law or regulation on how coverage should be provided for in policy documentation and for the exempted classes of business, it is recommended to follow local market practice. In light of these guidelines several war exclusions in varying degree of liability were developed to be endorsed on or attached to commercial cyber policies. It is not yet clear if the same clauses are or will become applicable to non cyber policies but the discussion is relevant considering current geopolitical conflicts and imminent threats to businesses and states.

The exclusions (LMA5564, LMA5565, LMA5566, LMA5567)[3] are very similar in terms of the language used and excludes loss of any kind directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation.  The burden is on the insurer to prove that the exclusion applies. An obvious difference is the causal language used in each clause. ‘Happening through’ is not language commonly used in the marine sector, as such its meaning and what needs to be established to fulfil this causal effect requires clarification. Clauses 3-5 of each exclusion refer to the attribution of a cyber operation to a state and the definition of war and cyber operation are both related to the acts of a state against another state. War is defined as the ‘use of physical force by a state against another state’ thus excluding cyber incidents / attacks which may have the same effect but without physical use of force and not by a state against another state. Cyber operations means ‘the use of computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer systems of another state’.[4] The emphasis on ‘states’ means that the exclusion would not be applicable to private acts of civilians who are not acting on behalf of their government or another state. Furthermore it is doubtful whether cyber operation would extend to the damage loss of cargo, vessel or financial losses since the subject of a cyber operation is the ‘information in a computer system’.

In attributing cyber operation to a state, the primary but not exclusive determinant is whether the government of the state in which the computer system affected is physically located has attributed the cyber operations to another state or those acting on its behalf. Pending a decision, the insurer may rely on an inference which is objectively reasonable as to attribution of the  cyber operation  but no loss shall be paid during this time. If the  government of the state in which the affected computer system is located takes too long to decide, or is unable to declare or does not determine attribution, the responsibility shifts to the insurer to determine attribution by using other evidence available to it. There are several problems with the terms of LMA5564, there is no explanation of the type and source of information the insurers should rely on to develop an inference and what will qualify as objectively reasonable and importantly who will sit as ‘objective person’. Furthermore,  the reference to the insurer using ‘such other evidence as is available’ suggest that the insurer is permitted to rely on any source, type / quality of evidence available that will support his position that the exclusion does apply. In other words, the acceptable standard of evidence to support the insurer’s ‘inference’ and to discharge his burden that the exclusion does apply is low and therefore prejudicial to the assured.

The second war, cyber war and cyber operation exclusion (LMA5565) differs from LMA5564  in that LMA5565 clause 1.1 to 1.3 list the conditions under which war and cyber operations are excluded. These are war or cyber operation carried out in the course of war and or retaliatory cyber operations between any specified state (China, France, Germany, Japan, UK or USA) and or a cyber operation that has a detrimental impact on the functioning of the state due to the direct or indirect effect of the cyber operation on  the availability, integrity or delivery of an essential service in that state and or the security or defence of a state. Clause 3 introduces the agreed limits recoverable in relation to loss arising out of one cyber operation and a second limit for the aggregate for the period of insurance. If the limits are not specified, there will be no coverage for any loss arising from a cyber operation. Noteworthy is the fact that similar limits have not been introduced for loss arising from a war or cyber war, so the limit would be based on the insured value of the subject matter insured. The definition of essential service creates uncertainty because what is categorised as ‘essential for the maintenance of vital functions of a state’ may vary across states. While examples are provided which includes financial, health or utility services, unless the parties stipulate and restrict this category to only the services named in the policy, there is potential contention between the parties over what will qualify as an essential service and what is a vital function to a state. It is expected that the marine sector will be among the list of essential services, however it is unlikely that an attack on a commercial private vessel or onshore facilities would qualify as harm to an essential service, vital for function of the state.

A third form of the war, cyber war and cyber operations exclusion LMA5566 is identical to LMA5565 except that there is no equivalent to the clause on limits of liability for each cyber operation or aggregate loss in LMA5566. The fourth form of exclusion LMA5567 expounds on the conditions mentioned in LMA5565 and LMA55666, particularly the exclusion or loss from retaliatory cyber operations between any of the specified states leading to two or more of those states becoming impacted states. The exclusion of cyber operation that has a major impact an essential service or the security of defence of a state shall not apply to the direct or indirect effect of a cyber operation on a bystanding cyber asset. LMA5567 introduces the concepts of impacted states and bystanding asset, thus expanding the effect of the exclusion clause. Impacted states means any state where the cyber operation has had a detrimental impact on the functioning of that state due to its effect on essential services  and or the security or defence of that state. The bystanding cyber assets are computer systems used by the insured or its third party provider that is not located in the impacted state but is affected by the cyber operation. As an exemption to the exclusion, the consequence is that the insurer will be exposed to liability for loss to assets that are not owned by the insured or its third party providers. The only requirement being that these bystanding cyber assets / computer systems are used by the insured or its third party providers which could be an extensive list of unidentified assets and liabilities. Another problem with the definition of bystanding cyber asset is it does not declare for what purpose the said asset should be used by the insured or by the third party provider. The presumption is the use should be related to the subject matter / business of the insured but without clarification, there are doubts about the scope and limits of the term.  Interestingly and of concern is the use of the words ‘cyber war’ in the title of each exclusion but is not repeated in any of the four clauses nor is there a description of the meaning of a cyber war and how it differs from a cyber operation and war as defined in the clauses.

A guidance on the correct interpretation of the exclusion clauses was not published and given their deficiencies, the effectiveness of each exclusion clause is reduced. In terms of their application to marine activities, the insurer will find that he is liable to indemnify the assured for his loss from cyber-attack unless there is evidence to attribute the cyber act to a state. The exclusions will be more effective in scenarios where terrorist or political groups are involved. War is limited to acts between states and significant emphasis is placed on damage to essential services of a state. Despite the deficiencies discussed above, the importance and take up of any variation of the exclusion clause will increase as the political security of nation states and businesses continue to be of concern to insurers. The constant threats and warning  in the news of cyber-attacks being used as weapons of war will affect market response and which will sometimes be reflected in strictness of language / variations of the war exclusions used in insurance policies. Other stakeholders must be proactive and ensure that they have adequate insurance protection against cyber war risks and war risks generally and mitigate their risks of loss by implementing and maintaining good cyber hygiene based on industry specific best practices.  

[1] Lloyd’s, ‘Performance Management – Supplemental Requirements & Guidance’ (July 2020) 41 <https://assets.lloyds.com/assets/performance-management-supplemental-requirements-and-guidance-july-2020highlighted/1/Performance%20Management%20Supplemental%20Requirements%20and%20Guidance%20July%202020Highlighted.pdf> accessed 22 March 2022. War and NCBR policies can only be provided where: the exclusion of war is prohibited by local legal or regulatory requirements but this is not inclusive of the writing non-compulsory war risks; where the type of business is within the exempted class and where the syndicates have the express agreement from Lloyds through business planning process.

[2] Lloyd’s, ‘Cyber Risks & Exposures : Market Bulletin Ref : Y4842’ (25 November 2014)

<https://assets.lloyds.com/assets/y4842/1/Y4842.pdf > accessed 22 March 2022.

[3] LMA, ‘Cyber War and Cyber Operation Exclusion Clauses’ (LMA21-042-PD, 25 November 2021)  

<https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx> accessed 22 March 2022.

[4] Michael N Schmitt,  ‘The Use of Force’ in Tallin Manual 2.0 on the International Law Applicable to Cyber Operations ( 2nd edition Cambridge University Press 2017)The Tallin Manual is nonbinding legal source which explains how international law applies to cyber operations. It is in the process of a five (5) year review for the launch of Tallinn Manual 3.0.

Insurance Implications of “Phishing”!

Phishing Emails - How to Protect Your Customers When Using E-Signature | OneSpan

The 2Cs, COVID-19 and cyber risks, 2 plagues of our generation, both of which command global interest and competes in both print and online media for daily headlines. They also have one thing in common, they are highly misunderstood and mutates ever so often. For these and other reasons, governments and business stakeholders have invested heavily in developing safety guidelines to mitigate the loss and damages arising directly or indirectly from cyber risks and COVID19. While governments have made some progress in the fight against COVID-19 through the vaccine administration, cyber risks on the other hand is mutating at such a rate where it almost impossible to keep up and the shipping and insurance industries are just as vulnerable to cyber risks as any other industry.  Here we will briefly discuss phishing, often described as the most widespread and pernicious cyber-attack technique, but the discussion will be centered around the decision of the U.S. District Court for the Northern District of Texas  in RealPage v National Union Fire Insurance Company of Pittsburgh and Beazley Insurance Company[1].

BIMCO in its guidelines on cybersecurity risks onboard ships describes phishing as encompassing the sending of emails to many potential targets asking for pieces of sensitive or confidential information. The email may also contain a malicious attachment or request that a person visits a fake website using a hyperlink included in the mail. A distinguishing feature of phishing is that attackers pretend to be a real and trusted person or company that the victim usually or have had business relations. It is reported in the Cyber Security Breaches Survey 2020, that phishing attacks are the most common attack vector used by cyber criminals and that between 2017 and 2020 there has been a rise in the number of businesses experiencing a phishing attacks from 72% to 86% whereas there has been a fall in viruses and other malware from 33% to 16%.[2] Since phishing is such a constant threat to businesses, it is understandable why insurers see the need to cater for this risk in their cyber insurance policies and or other commercial crime policies.

Facts of RealPage case:

RealPage provides several services for their clients who are property owners and managers of real estate. The clients entered contracts with RealPage authorizing it to act as agents on their behalf, and to manage and collect monies debited from their customers’ accounts, and to credit the client’s identified bank account. The tenants authorized the transactions processed by RealPage and this was communicated to RealPage by their clients. RealPage then contracted with Stripe to provide software services that enable payment processing and related functions.

The payment process involved the following:

  1. A tenant would log in to an interface called “Resident Passport” to make a payment to one of RealPage’s clients.
  2. Upon initiation of a payment by a tenant, RealPage would send application programming interface (API) calls[3] to Stripe’s server either through Stripe Dashboard or the On-Site application.
  3. Upon receipt of an API call, for an automated clearing house (ACH) transaction, Stripe would send instructions to its bank, Wells Fargo to process the ACH transfer that would pull money from the tenant’s bank account and place these funds in Stripe’s Wells Fargo bank account.
  4. Thereafter, Stripe would direct Wells Fargo to complete another ACH transfer to pay these funds to the clients in accordance with RealPage’s instructions.

The funds held in Stripe’s accounts were for the benefit of its users and merchants such as RealPage. If there was a balance owed to a client of RealPage, the funds for that client in Stripes account would be for the benefit of the said client. RealPage had no rights to the funds held in Stripes account. RealPage was not entitled to draw funds and did not receive interest from funds maintained in the account. RealPage contracts describes the relationship with Stripes as independent contractors. One exception where Stripe operates as an agent is holding funds that are owed to RealPage

The hackers used targeted phishing to obtain and alter the account credential of a RealPage employee. They then used those credentials to access the Stripe Dashboard and alter RealPage’s fund disbursement instructions to Stripe. The hackers diverted over $10 million that was not yet disbursed to clients. RealPage discovered the fraud, contacted Stripe and directed them to reverse the payments and freeze outgoing payments. RealPage was unable to recover over $6 million of the funds. RealPage refunded clients for lost funds.

Insurance Policies with National Union and Beazley

At the time of the attack, RealPage had a commercial crime policy with National Union and an Excess Fidelity and Crime Policy from Beazley. The Excess Policy provides a $5,000,000 limit of liability “for any loss which triggers coverage under the Commercial Crime Policy.  Therefore, any recovery under the Excess policy was dependent on RealPage successfully making a claim under the Commercial Crime Policy. The following provisions of the Commercial Crime Policy are the most relevant

Ownership of Property; Interests Covered:

The property covered under this policy is limited to property:

(1) That you own or lease; or

(2) That you hold for others whether or not you are legally liable for the

loss of such property.

Computer Fraud:

We will pay for loss of or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:

a. To a person (other than a “messenger”) outside those “premises”; or

b. To a place outside those “premises”.

Funds Transfer Fraud:

We will pay for loss of “funds” resulting directly from a “fraudulent instruction” directing a financial institution to transfer, pay or deliver “funds” from your “transfer account”.

Insurance Claims and Responses

RealPage claim for the funds lost under the policy but National Union was only willing to reimburse the transactional fees owed to Real Page. With respect to the diverted funds that were owed to RealPage clients, National Union concluded that based on their preliminary analysis, RealPage did not own or hold the funds and thus was not entitled to coverage. As a result of National Union’s denial of coverage, RealPage filed a claim seeking a declaration of judgment for the funds fraudulently diverted and lost as a result of the phishing attack.

Court Proceedings

The main issue for the court was ‘whether RealPage is entitled to coverage under commercial crime insurance policies for the loss of its clients’ funds which were diverted through a phishing scheme’? In answering this question, the central issue is whether RealPage held these funds despite its use of a third-party processor, Stripe Inc? After an extensive discussion of the meaning given to the word ‘hold’, it was accepted that there must be possession and not necessarily ownership of an item. Accordingly, the court held that RealPage did not suffer a direct loss as required under the policy as they did not hold the funds at the time of the phishing attack  and in so doing the court decided in National Union and Beazley’s favour granting them summary judgment.

RealPage argued that the policy was expansive enough to cover property they held. They also reasoned that since they had the authority to direct Stripe as to where the funds should go, they ‘held’ the funds. The court rejected this line of reasoning by stating ‘hold’ cannot be reduced to simply the ability to direct but required some sort of possession of property. By applying the ordinary meaning of ‘hold’, Real page was not in possession of the funds. The funds were in Stripes account at Well Fargo and not RealPage up to the time it was diverted to the hackers account. RealPage ability to direct the transfer of the funds does not amount to holding the funds. Furthermore, RealPage had no rights to the funds in the account, could not withdraw the funds and held in the same account as those of other Stripe users.

RealPage had to also establish that they had suffered loss resulting directly from computer fraud or funds transfer fraud. Since RealPage did not hold the funds, its loss resulted from its decision to reimburse its clients. Accordingly, RealPage did not suffer a direct loss as required under the Policy.

Insurance implications

While we acknowledge that this decision is not binding on the courts in the UK, it cannot be denied that many of the practices within the UK cyber insurance market are influenced by what happens in the more mature US market. Furthermore, many of the insurance companies including Beazley who are leading the way in the UK as cyber insurance providers also have parent companies, branch offices or subsidiaries operating in the USA. So, while the decision is not binding, it will certainly be persuasive or at the very least leave an indelible lesson for both assureds and insurers to seek clarity and modify policy clauses relating to loss or damage from phishing or other social engineering attacks.

If a higher court was to approve this judgement and a similar practice is adopted in the UK by insurers, it will be very difficult for assureds who use third party providers to assist them with payment transfers and other transactions to successfully claim an indemnity from their insurers relying on similar policy wording. This would mean even though the assured’s system was breached when the employee inadvertently shared their confidential account details and though the phishing diverted funds belonging to clients of the assured, a policy bearing similar clauses as those provided above, would not respond since the outcome of the claim would be totally dependent on the definition of ‘hold’ and what was considered to be in the possession of the assured as per the requirement of the policy at the time the funds were fraudulently diverted.

To prevent such a harsh outcome for assureds, it is recommended that assures negotiate with their brokers for their cyber insurance policies or commercial crime policies to include words which would cover situations where funds are being held in the account of an agent or third-party contractor.  In so doing, the policy wording could be modified to include not just funds the assured ‘hold or owns’ but to also cover ‘loss of funds for which they have authority to direct’.

Variations in policy wording – UK

  1. Cyber Crime[4]
  2. We will indemnify you in respect of the following for loss by theft committed on or after the Retroactive Date stated in the schedule which is first discovered during the period of insurance and notified to us in accordance with Claims conditions applicable to Section B:

i)   assets due to any fraudulent or dishonest misuse or manipulation by a third party of the computer system operated by you

ii)  your funds or those for which you are responsible at law from an account maintained by you at a financial institution following fraudulent electronic, telegraphic, cable, telephone or email instructions todebit such account and to transfer, pay or deliver funds from such account and which instructions purportto have come from you but which are fraudulently altered, transmitted or issued by a third party or are

a forgery.

  • In the event that any party other than an insured person enters into an agreement with a third party  entity pretending to be you we will pay reasonable fees and costs to establish that such fraud has occurred should the third party seek to enforce such agreements against you provided that such loss is first discovered and is notified to us during the period of insurance.

The words provided in clause 1a (ii) will cause a different outcome when compared to how property was defined and what was decided by the court in RealPage. In RealPage the National Union insurance policy defined ‘property’ as that i) owned or leased by the assured or ii) that you hold for others whether or not you are legally liable for the loss of such property’. Whereas, under Section B- Crime, clause 1a (ii) of Zurich Cyber Policy, the assured will be indemnified for ‘your funds or those for which you are responsible at law from account maintained by you at a financial institution following fraudulent electronic … or email instructions to debit such account and to transfer’. The difference with the Zurich policy is that unlike the National Union policy in RealPage, there is no requirement for the assured to ‘hold’ the funds in the literal sense of the word. Furthermore, under the Zurich policy the insurer will only indemnify the assured if funds are either his or those for which he is responsible at law. This is different in RealPage as the National Union policy will cover property that the assured hold for others whether or not he is legally liable for the loss. Another distinguishing feature between the two policies is that in the Zurich policy the insurer will cover funds from an account maintained by the assured at a financial institution.

This latter feature has similar meaning to ‘hold’ as interpreted by the court in RealPage. If we consider for example, maintenance of a bank account, this includes holding and transferring funds within the account and the execution of other control mechanisms to ensure that the account remains active and in good financial standing. However, others may argue that ‘an account maintained by the assured at a financial institution’ should be given a wider meaning in that even accounts owned or held by a third party at a financial institution may be maintained by the assured. In other words, maintenance of an account does not necessarily mean that the funds must be held or are being held by the assured as was decided in RealPage. If this interpretation should be applied to the facts in RealPage, it is reasonable to conclude that the insurers would have been held liable to indemnify the assured since the monies in the account held by Stripe Inc was the legal responsibility of RealPage. Moreover, if the account was used solely to hold funds related to RealPage business there should be no logical explanation as to why it cannot be accepted that RealPage is maintaining the account in accordance with Zurich policy wording. Either way, the ambiguity and possibility of a trial will be removed if the parties clearly defined and explained what it meant by ‘maintenance of account’.

For those businesses without a cyber insurance policy, coverage may be acquired under their commercial crime policy. Below is an example of a clause covering this type of loss that can be found in most crime policies:

Computer Fraud and Funds Transfer Fraud[5]

The Insurer shall indemnify the Insured for:

1. loss of or damage to Money, Securities or Property resulting directly from

Computer Fraud committed solely by a Third Party; or

2. loss of Money or Securities contained in a Transfer Account at a Financial Institution resulting directly from Funds Transfer Fraud committed solely by a

Third Party.

Funds Transfer Fraud” means fraudulent written, electronic, telegraphic, cable, teletype

or telephone instructions by a Third Party issued to a Financial Institution directing such

institution to transfer, pay or deliver Money or Securities from any account maintained by

an Insured at such institution, without the Insured’s knowledge or consent.[6]

Some crime policies in their definition section provide that a “Transfer Account” means an account maintained by the Insured at a Financial Institution from which the Insured can initiate the transfer, payment or delivery of Money or Securities.”[7] Like the Zurich policy, the implications of the clause will turn on the meaning assigned to ‘maintenance of an account’ as discussed above.

Funds transfer fraud is also covered in Beazley Commercial Crime Insurance Module[8]:

Fund transfer fraud means the transfer of money, securities or other property due to electronic data, computer programs or electronic or telephonic transfer communications within a computer system operated by the insured having been dishonestly, fraudulently, maliciously or criminally modified, replicated, corrupted, altered, deleted, input, created, or prepared.

Fund transfer fraud does not include loss due to social engineering fraud.

Based on this definition and the exclusion of social engineering from Fund transfer fraud, an assured in RealPage’s position could not rely on the Funds transfer clause under their commercial crime policy. Instead, the assured would need to rely on the social engineering fraud clause (where not excluded), variations of which are found in most cyber insurance policies.

Social Engineering Fraud[9] means the insured having authorised, directed or acknowledged the transfer, payment, delivery or receipt of funds or property based on:

  • an electronic or telephonic transfer communication which dishonestly, fraudulently, maliciously or criminally purports to be, but is not, from a customer of the insured, another office or department of the insured, a financial organisation or vendor; or
  •  a written or printed payment instruction obtained by fraudulent impersonation.

In some policies for example Zurich Cyber Policy, an obligation is placed on the assured to confirm the validity of the transfer instructions before actions are taken to send the funds to the account mentioned in the purported instructions. The confirmation must include ‘either verification of the authenticity or accuracy of the transfer instruction by means of a call back to a predetermined number or the use of some other verification procedure and the assured must keep a written record of the verifications along with all elements of the fraudulent transfer instruction’.[10]  It is imperative for assureds to check their cyber insurance and or commercial crime policies to ensure they have adequate protection against phishing and other types of social engineering attacks as cyber criminals will continue to use these attack vectors to steal from companies.

[1] Civil Action No. 3:19-cv-1350-b (ND Tex Feb 24, 2021)

[2] Department for Digital, Culture, Media & Sport, ‘Cybersecurity breaches survey 2020’ (March 2020) <https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020 > accessed 31 March 2021.

[3] The API calls sent from RealPage to Stripe provided information about the tenant’s account, the client’s destination account and the amount due to the client.

[4] Zurich Insurance plc, ‘Cyber Policy: Section B – Crime’ (2020) 29 < https://www.zurich.co.uk/business/business-insurance/specialty-lines/financial-lines/cyber  > accessed 8 April 2021.

[5] Beazley Inc, ‘Crime Insurance Policy: Insuring Clause 1F’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[6] Beazley Inc, ‘Crime Insurance Policy: Clause II Definition EE’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[7] Beazley Inc, ‘Crime Insurance Policy: Clause II Definition P’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[8] Beazley Inc, ‘Commercial Crime Insurance Module (Lloyds Syndicate) Clause F: Definitions’

<https://www.beazley.com/documents/Wordings/Commercial%20Crime%20Module%20%28Lloyd%27s%20syndicate%29.pdf > accessed 9 April 2021.

[9] Ibid.

[10] Zurich Insurance plc, ‘Cyber Policy: Conditons application to Section B – 7 Social Engineering Cover’ (2020) 31

< https://www.zurich.co.uk/business/business-insurance/specialty-lines/financial-lines/cyber  > accessed 8 April 2021.

Microsoft Exchange Email Hacks!

numbers projected on face
Photo by Mati Mango on Pexels.com

Another cyber-attack labelled ‘Microsoft Exchange Email hacks’ hits the news again! This attack has been concerningly described as ‘zero day’ attack. A zero-day attack means that the points of vulnerability were unknown before the attack therefore the cyber-attack occurs on the same day that the weakness is discovered in the software. Like so many things happening around the world at this point, the race is on to get on top of these attacks which are believed to be state sponsored and cultivated in China by the hacking group Hafnium. Chinese government denies any involvement. This method of attack has already been replicated and used to infiltrate companies and public bodies in more than 115 countries around the world.  It is still early days, so many UK companies may still be unaware that their systems have been hacked. The European Banking Authority has reported that their system has been compromised and that there is a possibility that personal data has been exposed.  

What happened?

Microsoft announced that the hacking group exploited four (4) zero-day vulnerabilities in the server’s system to enter the Microsoft Exchange Server which is used by large corporations and public bodies across the world. The calendar software of governments and data centres were also compromised. The hackers also sometimes used stolen passwords to gain unauthorized access to the system. The hackers would then take control of the server remotely and steal data from the network. The attack has affected thousands around the world.

Tom Burts, a VP at Microsoft described in a sequential order how the attack was carried out;

First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.

Second, it would create what’s called a web shell to control the compromised server remotely.

Third, it would use that remote access – run from the U.S. based private servers to steal data from an organization’s network.[1]

What is not affected?

The identified vulnerabilities do not affect Exchange Online, Microsoft’s cloud-based email and calendar services that’s included in commercial Office 365 and Microsoft 365 subscriptions.

International Response

In response Microsoft issued a software update for its 2010, 2013, 2016 and 2019 versions of Exchange. The UK National Cybersecurity Centre, the US and the Norwegian governments are already issuing warnings and guidelines to businesses about the hacks.

But what does this mean for insurers?

This is an extra dent in the cyber security efforts of companies and public bodies yet another opportunity for a lesson to the insurance market of the potential global and high aggregate loss from just one attack. This incident is another illustration of how susceptible computer systems and servers are to cyber-attacks. Similarly, it is another indication to corporations and public bodies that foreign entities are working assiduously to identify and exploit vulnerabilities within their systems to achieve their motives, whatever they may be. So far, the impact is widespread, and victims include organisations such as infectious disease researchers, law firms, higher education institutions, defence contractors, NGOs. Cybersecurity group Huntress has reported many of their partners servers have been affected and they include small businesses for example small hotels, ice cream company, senior citizen communities, banks, local government and electricity companies[2].

In light of the recent business interruption decision from the Supreme Court, it will be interesting to see how many of these UK companies will present their claims to insurers and how insurers will respond to claims from assured whose businesses may have been interrupted by the Exchange Email hacks.

There will be gaps and exclusions in these Business Interruption policies which may not provide adequate protection against cyber risks so it is the assured with a cyber risk policy / insurance coverage who will be the most protected during and after these attacks.

Applicable cyber insurance clauses and possible response of insurers

Most cyber insurance policies cover data loss and business interruption as a result of a security breach so this will not be much of an issue for assureds with cyber insurance coverage. There are exclusions in most cyber insurance policies which may leave an assured vulnerable when hacking of this nature (Microsoft Exchange hack) occurs. Let us consider some of these exclusions and their potential impact further:

  1. First Party Loss

costs or expenses incurred by the insured to identify or remediate software program errors or vulnerabilities or update, replace, restore, assemble, reproduce, recollect or enhance data or computer systems to a level beyond that which existed prior to a security breachsystem failuredependent security breachdependent system failure or extortion threat;

  • Betterment

for repairing, replacing or restoring the Insured’s Computer System to a level beyond that which existed prior to any Claim or Loss;

The inclusion of this or any clause with similar wording means the assured may not be covered for the expenses and cost incurred to hire experts to identify or remediate vulnerabilities within their IT systems. Consequently, the assured will not be indemnified for the expenses or costs incurred to install the patches as recommended by Microsoft as these will be classified as updates or enhancement to the computer system beyond a level that which existed prior to the security breach.

  • Infrastructure failure

We will not make any payment for any claim, loss or any other liability under this section directly or indirectly due to:

  1. Any failure or interruption of service provided by an internet service provider, telecommunications provider, utilities supplier or other infrastructure provider. However, this exclusion does not apply where you provide such services as part of your business.

OR

ii.     failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control.

OR

  • Third party providers
  1. arising out of the failure of any third party provider including any utility, cloud, internet service provider or telecommunications provider, unless arising from a failure of the Insured to protect against unauthorised access to, unauthorised use of, or a denial of service attack or damage, destruction, alteration, corruption, copying, stealing or misuse by a Hacker of the Insured’s Computer system;

OR

ii.   The Insurer shall not be liable to indemnify the Insured against any Loss arising as a result of the failure of a third party service provider or cloud provider unless they are hosting hardware or software that is owned by the Insured.

Could the relationship between Microsoft and its clients fall into the category of ‘other infrastructure provider’ to relieve the insurer of any liability to the assured? As software service providers of Microsoft 365 and Azure it will be no surprise to see claims being denied based on clauses with the same or similar wording. However, the assured may object to the insurer’s denial of the claim by the applying ejusdem generis rule in stating that ‘or other infrastructure provider’ should be limited to companies such as Virgin Media, British Gas or Welsh Water and not extend to software providers. According to Cambridge dictionary, infrastructure as it relates to IT means the ‘equipment, software, etc. that a computer system needs in order to operate and communicate with other computers.’ If this definition is accepted by the parties, the challenge for the insurer will be to establish that the Microsoft Exchange Server qualifies as a software needed for a computer system to operate and communicate with other computers. Rather, the function of the Microsoft exchange server is to aid with email storage and calendaring and is unrelated to other operational functions necessary to communicate with other computers.

Certainly ‘infrastructure or services that are not under the insured organization’s direct operational control’ will create less problems for the insurer to establish that the exclusion applies as this broad construction will exclude losses and expenses from incidents such as Microsoft Email Exchange Hack.

  • Government intrusion
  1. which results, directly or indirectly, from access to, confiscation or destruction of the Insured’s Computer system by any government, governmental agency or sub-agency, public authority or any agents thereof;

Since the Microsoft Exchange Email are believed to be carried out by Hafnium which is a government backed group, it is reasonable to identify them as agents of the government of China.  Therefore, assureds whose policies include a government intrusion exclusion may be denied coverage for their loss or expenses arising directly or indirectly from access to or destruction of the assured’s computer system by groups such as Hafnium.

Conclusion and the way forward

As aforementioned, it is early days and the real financial impact if any from these attacks are not yet known. However, what is certain is that hackers, whether state sponsored are not are using very sophisticated techniques to identify and exploit vulnerabilities within computer servers and networks. Therefore, companies and public bodies must continue to invest in employee training and take reasonable steps to manage and mitigate their losses from potential cyber-attacks which unfortunately will happen at one point. Among those decisions should be the purchase of cyber insurance policies that addresses the needs of the business with particular attention being placed on the exclusions clauses and ensuring that as an assured you are adequately protected against the cybersecurity risks to which you are most directly and indirectly prone .

While large corporations and government entities may have the requisite IT expertise to support them, the real concern remains for those small and medium sized businesses that do not have the resources for a complete check and cleaning of their systems. Therefore, larger corporations within the supply chain must offer their expertise to the small and medium sized businesses with which they trade to respond to this and other cyber security threats.  Since Microsoft Exchange Online servers have not been affected, many small and medium sized businesses may begin to switch to using cloud-based email storage. However, this does not mean they will be immune from cyber-attacks.

Tokio Marine in their Cybersecurity Insurance Policy wording 0417 went as far as to include a list of reasonable steps that an insured should take to avoid / mitigate their loss and these along with government and industry guidelines should be a good starting point in your fight against cyber attacks and their debilitating impacts.

Reasonable steps to avoid Loss

The Insured shall protect its Computer system by:

a. having Virus protection software operating, correctly configured and regularly or automatically updated;

b. updating Computer systems with new protection patches issued by the original system or software manufacturer of supplier;

c. having a fire wall or similar configured device to control access to its Computer system;

d. encrypting and controlling the access to its Computer system and external devices including plug-in devices networked to its Computer system;

e. controlling unauthorised access to its Computer system by correctly configuring its wireless network;

f. changing all passwords on information and communication assets at least every 60 days and cancel any username, password or other security protection once an Employee’s employment has been terminated or after it knew or had reasonable grounds to suspect that it had become available to any unauthorised person;

g. taking regular back-up copies of any data, file or programme on its Computer system are taken and held in a secondary location;

h. having an operational system for logging and monitoring user activity on its Computer system;

i. remote wipe functionality is installed and enabled on all portable devices where such functionality is available

[1] Tom Burts, ‘New Nation – State Cyber attacks’ (02 March 2021) < https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/> accessed 14 March 2021.

[2] John Hammond, ‘Rapid Response: Mass Exploitation of On-Prem Exchange Servers’ (03 March 2021) < https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers?__hstc=1139630.77196394391fe1afb6fc8e7d1d6a8bc9.1615725167878.1615725167878.1615725167878.1&__hssc=1139630.5.1615725167882&__hsfp=3684379411&hsutk=77196394391fe1afb6fc8e7d1d6a8bc9&contentType=listing-page> accessed 14 March 2021.

13TH ANNUAL COLLOQUIUM OF THE IISTL — MARITIME LIABILITIES IN A GLOBAL AND REGIONAL CONTEXT

Print
informa_law_header

13th ANNUAL COLLOQUIUM OF THE IISTL

MARITIME LIABILITIES IN A GLOBAL AND REGIONAL CONTEXT

  4-5 SEPTEMBER 2017

The annual gathering, organised by the Institute of International Shipping and Trade Law (IISTL), has now established itself as a regular fixture in the calendar of maritime lawyers. This year’s event will be devoted to Maritime Liabilities in A Regional and Global Context: The EU and Beyond.

 Topics covered will include:

  • Liabilities for ship recycling
  • Wreck removal – Nairobi and beyond
  • National and international oil pollution regimes – an uneasy coexistence
  • Pollution from oil rigs and offshore installations: legal issues arising
  • The boundaries of shipping liability law: what is a ship and why does it matter?
  • Ship arrest – yesterday’s conventions and today’s problems
  • Cyber risks and liabilities for marine sector
  • Smart containers
  • Passenger Liabilities- Life after BREXIT
  • Limitation of liability – new problems
  • Cross-border insolvency and maritime arbitration
  • Direct action against insurers and P & I Clubs
  • Jurisdiction and Choice of law after BREXIT

Speakers and Chairpersons

  • Professor Lia Athanassiou, School of Law, Athens University, Greece
  • Professor Simon Baughen, IISTL, Swansea University, UK
  • Professor Olivier Cachard, University of Lorraine, France
  • Andrew Chamberlain, Partner and Mariner, Holman Fenwick Willan LLP, London, UK
  • Simon Cooper, Partner, Ince & Co LLP, London, UK
  • Professor Marc Huybrechts, University of Antwerp, Belgium
  • Dr Henning Jessen, World Maritime University, Sweden
  • Mr Måns Jacobsson, Former Director of International Oil Pollution Compensation Funds, Sweden
  • Dr Tabetha Kurtz-Shefford, IISTL, Swansea University, UK
  • Associate Professor George Leloudas, IISTL, Swansea University,UK
  • Mr Justice Males, Presiding Judge of the North East Circuit, High Court of England and Wales
  • Peter Macdonald-Eggers QC, 7 King’s Bench Walk, London, UK
  • Associate Professor Theodora Nikaki, IISTL, Swansea University, UK
  • Dr Frank Stevens, Erasmus University, The Netherlands
  • Professor Barış Soyer, Director, IISTL, Swansea University,UK
  • Dr. Jur. Bülent Sözer, Yeditepe University, Turkey
  • Professor Andrew Tettenborn, IISTL, Swansea University, UK
  • Emeritus Professor Rhidian D. Thomas, IISTL, Swansea University, UK

 

Registration, Fees & Accommodation

To register (and book university accommodation) please click the link here: Eventbrite  

  • Fee, inc. materials, dinner & accommodation for 2 nights (3-4 Sept): £440
  • Fee, inc. materials and dinner: £350
  • Fee (for Research Students) inc. materials, dinner & accommodation for 2 nights (3-4 Sept): £265
  • Fee (for Research Students) inc. materials & dinner: £175

 Should you not like to take advantage of our on-campus accommodation, please feel free to make your own arrangements. There are several good hotels in town, notably the Dragon Hotel, tel: 01792 657100, and the Marriott Hotel, tel: 01792 642020. Please note, however, that the organisers cannot take responsibility for booking accommodation off campus.

The closing date for registration is 28 August 2017

Questions & Further Information

Should you have any further queries, please direct your email to: Ms Stella Kounakou 806114@swansea.ac.uk

We looking forward to seeing you at Swansea. 

Professor B. Soyer

Law_662