Microsoft Exchange Email Hacks!

numbers projected on face
Photo by Mati Mango on Pexels.com

Another cyber-attack labelled ‘Microsoft Exchange Email hacks’ hits the news again! This attack has been concerningly described as ‘zero day’ attack. A zero-day attack means that the points of vulnerability were unknown before the attack therefore the cyber-attack occurs on the same day that the weakness is discovered in the software. Like so many things happening around the world at this point, the race is on to get on top of these attacks which are believed to be state sponsored and cultivated in China by the hacking group Hafnium. Chinese government denies any involvement. This method of attack has already been replicated and used to infiltrate companies and public bodies in more than 115 countries around the world.  It is still early days, so many UK companies may still be unaware that their systems have been hacked. The European Banking Authority has reported that their system has been compromised and that there is a possibility that personal data has been exposed.  

What happened?

Microsoft announced that the hacking group exploited four (4) zero-day vulnerabilities in the server’s system to enter the Microsoft Exchange Server which is used by large corporations and public bodies across the world. The calendar software of governments and data centres were also compromised. The hackers also sometimes used stolen passwords to gain unauthorized access to the system. The hackers would then take control of the server remotely and steal data from the network. The attack has affected thousands around the world.

Tom Burts, a VP at Microsoft described in a sequential order how the attack was carried out;

First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.

Second, it would create what’s called a web shell to control the compromised server remotely.

Third, it would use that remote access – run from the U.S. based private servers to steal data from an organization’s network.[1]

What is not affected?

The identified vulnerabilities do not affect Exchange Online, Microsoft’s cloud-based email and calendar services that’s included in commercial Office 365 and Microsoft 365 subscriptions.

International Response

In response Microsoft issued a software update for its 2010, 2013, 2016 and 2019 versions of Exchange. The UK National Cybersecurity Centre, the US and the Norwegian governments are already issuing warnings and guidelines to businesses about the hacks.

But what does this mean for insurers?

This is an extra dent in the cyber security efforts of companies and public bodies yet another opportunity for a lesson to the insurance market of the potential global and high aggregate loss from just one attack. This incident is another illustration of how susceptible computer systems and servers are to cyber-attacks. Similarly, it is another indication to corporations and public bodies that foreign entities are working assiduously to identify and exploit vulnerabilities within their systems to achieve their motives, whatever they may be. So far, the impact is widespread, and victims include organisations such as infectious disease researchers, law firms, higher education institutions, defence contractors, NGOs. Cybersecurity group Huntress has reported many of their partners servers have been affected and they include small businesses for example small hotels, ice cream company, senior citizen communities, banks, local government and electricity companies[2].

In light of the recent business interruption decision from the Supreme Court, it will be interesting to see how many of these UK companies will present their claims to insurers and how insurers will respond to claims from assured whose businesses may have been interrupted by the Exchange Email hacks.

There will be gaps and exclusions in these Business Interruption policies which may not provide adequate protection against cyber risks so it is the assured with a cyber risk policy / insurance coverage who will be the most protected during and after these attacks.

Applicable cyber insurance clauses and possible response of insurers

Most cyber insurance policies cover data loss and business interruption as a result of a security breach so this will not be much of an issue for assureds with cyber insurance coverage. There are exclusions in most cyber insurance policies which may leave an assured vulnerable when hacking of this nature (Microsoft Exchange hack) occurs. Let us consider some of these exclusions and their potential impact further:

  1. First Party Loss

costs or expenses incurred by the insured to identify or remediate software program errors or vulnerabilities or update, replace, restore, assemble, reproduce, recollect or enhance data or computer systems to a level beyond that which existed prior to a security breachsystem failuredependent security breachdependent system failure or extortion threat;

  • Betterment

for repairing, replacing or restoring the Insured’s Computer System to a level beyond that which existed prior to any Claim or Loss;

The inclusion of this or any clause with similar wording means the assured may not be covered for the expenses and cost incurred to hire experts to identify or remediate vulnerabilities within their IT systems. Consequently, the assured will not be indemnified for the expenses or costs incurred to install the patches as recommended by Microsoft as these will be classified as updates or enhancement to the computer system beyond a level that which existed prior to the security breach.

  • Infrastructure failure

We will not make any payment for any claim, loss or any other liability under this section directly or indirectly due to:

  1. Any failure or interruption of service provided by an internet service provider, telecommunications provider, utilities supplier or other infrastructure provider. However, this exclusion does not apply where you provide such services as part of your business.

OR

ii.     failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control.

OR

  • Third party providers
  1. arising out of the failure of any third party provider including any utility, cloud, internet service provider or telecommunications provider, unless arising from a failure of the Insured to protect against unauthorised access to, unauthorised use of, or a denial of service attack or damage, destruction, alteration, corruption, copying, stealing or misuse by a Hacker of the Insured’s Computer system;

OR

ii.   The Insurer shall not be liable to indemnify the Insured against any Loss arising as a result of the failure of a third party service provider or cloud provider unless they are hosting hardware or software that is owned by the Insured.

Could the relationship between Microsoft and its clients fall into the category of ‘other infrastructure provider’ to relieve the insurer of any liability to the assured? As software service providers of Microsoft 365 and Azure it will be no surprise to see claims being denied based on clauses with the same or similar wording. However, the assured may object to the insurer’s denial of the claim by the applying ejusdem generis rule in stating that ‘or other infrastructure provider’ should be limited to companies such as Virgin Media, British Gas or Welsh Water and not extend to software providers. According to Cambridge dictionary, infrastructure as it relates to IT means the ‘equipment, software, etc. that a computer system needs in order to operate and communicate with other computers.’ If this definition is accepted by the parties, the challenge for the insurer will be to establish that the Microsoft Exchange Server qualifies as a software needed for a computer system to operate and communicate with other computers. Rather, the function of the Microsoft exchange server is to aid with email storage and calendaring and is unrelated to other operational functions necessary to communicate with other computers.

Certainly ‘infrastructure or services that are not under the insured organization’s direct operational control’ will create less problems for the insurer to establish that the exclusion applies as this broad construction will exclude losses and expenses from incidents such as Microsoft Email Exchange Hack.

  • Government intrusion
  1. which results, directly or indirectly, from access to, confiscation or destruction of the Insured’s Computer system by any government, governmental agency or sub-agency, public authority or any agents thereof;

Since the Microsoft Exchange Email are believed to be carried out by Hafnium which is a government backed group, it is reasonable to identify them as agents of the government of China.  Therefore, assureds whose policies include a government intrusion exclusion may be denied coverage for their loss or expenses arising directly or indirectly from access to or destruction of the assured’s computer system by groups such as Hafnium.

Conclusion and the way forward

As aforementioned, it is early days and the real financial impact if any from these attacks are not yet known. However, what is certain is that hackers, whether state sponsored are not are using very sophisticated techniques to identify and exploit vulnerabilities within computer servers and networks. Therefore, companies and public bodies must continue to invest in employee training and take reasonable steps to manage and mitigate their losses from potential cyber-attacks which unfortunately will happen at one point. Among those decisions should be the purchase of cyber insurance policies that addresses the needs of the business with particular attention being placed on the exclusions clauses and ensuring that as an assured you are adequately protected against the cybersecurity risks to which you are most directly and indirectly prone .

While large corporations and government entities may have the requisite IT expertise to support them, the real concern remains for those small and medium sized businesses that do not have the resources for a complete check and cleaning of their systems. Therefore, larger corporations within the supply chain must offer their expertise to the small and medium sized businesses with which they trade to respond to this and other cyber security threats.  Since Microsoft Exchange Online servers have not been affected, many small and medium sized businesses may begin to switch to using cloud-based email storage. However, this does not mean they will be immune from cyber-attacks.

Tokio Marine in their Cybersecurity Insurance Policy wording 0417 went as far as to include a list of reasonable steps that an insured should take to avoid / mitigate their loss and these along with government and industry guidelines should be a good starting point in your fight against cyber attacks and their debilitating impacts.

Reasonable steps to avoid Loss

The Insured shall protect its Computer system by:

a. having Virus protection software operating, correctly configured and regularly or automatically updated;

b. updating Computer systems with new protection patches issued by the original system or software manufacturer of supplier;

c. having a fire wall or similar configured device to control access to its Computer system;

d. encrypting and controlling the access to its Computer system and external devices including plug-in devices networked to its Computer system;

e. controlling unauthorised access to its Computer system by correctly configuring its wireless network;

f. changing all passwords on information and communication assets at least every 60 days and cancel any username, password or other security protection once an Employee’s employment has been terminated or after it knew or had reasonable grounds to suspect that it had become available to any unauthorised person;

g. taking regular back-up copies of any data, file or programme on its Computer system are taken and held in a secondary location;

h. having an operational system for logging and monitoring user activity on its Computer system;

i. remote wipe functionality is installed and enabled on all portable devices where such functionality is available


[1] Tom Burts, ‘New Nation – State Cyber attacks’ (02 March 2021) < https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/> accessed 14 March 2021.

[2] John Hammond, ‘Rapid Response: Mass Exploitation of On-Prem Exchange Servers’ (03 March 2021) < https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers?__hstc=1139630.77196394391fe1afb6fc8e7d1d6a8bc9.1615725167878.1615725167878.1615725167878.1&__hssc=1139630.5.1615725167882&__hsfp=3684379411&hsutk=77196394391fe1afb6fc8e7d1d6a8bc9&contentType=listing-page> accessed 14 March 2021.

The 11th IISTL Annual Colloquium

International Trade and Carriage of Goods: Emerging Issues and Legal Problems in Contemporary Practice

It has been a decade since the Law School’s Institute of International Shipping and Trade Law (IISTL) launched its annual international colloquia with a view to providing a forum for discussing contemporary and controversial aspects of shipping, trade and commercial law.

From modest and experimental beginnings in 2005, since then these colloquia have grown exponentially and established themselves as a key event in the commercial maritime law calendar. Today they attract not only the best academics in the area from the UK, Europe and elsewhere, but also large numbers of leading lawyers, judges and executives from shipbroking, P & I, banking and other businesses.

This year’s event, the eleventh in the series, was held on 10-11 September at Swansea and was devoted to international sale contracts and related issues such as carriage issues, documentary credits and cargo insurance. It was fully embraced by the international shipping and trade community, attracting 72 delegates from 11 jurisdictions. In addition to academics, lawyers, arbitrators and P & I interests were represented; from the commercial judiciary we were delighted to welcome the Hon. Mr Justice Males (Presiding Judge of the North Eastern Circuit), who enthusiastically participated in the debates and chaired one of the sessions. Apart from academics from the IISTL, namely Professors Baughen, Soyer, Tettenborn and Williams and Associate Professor Theodora Nikaki, the following academics and practitioners presented papers at the event:

Professor Olivier Cachard (University of Lorraine, France); Professor Jason Chuah (Head of Department, The City Law School, City University London); Sara Cockerill QC (Essex Court Chambers);Dr Miriam Goldby (Centre for Commercial Law Studies, Queen Mary, University of London); Damian Honey (Partner, Holman Fenwick Willan LLP); Ruth Hosking (Quadrant Chambers); Peter MacDonald-Eggers QC (7 King’s Bench Walk and IISTL); Simon Rainey QC (Quadrant Chambers and IISTL); Stuart Shepherd (Partner, Ince & Co LLP); Professor Michael Sturley (University of Texas, Austin); and Dr Frank Stevens (Roosendaal Kezer Advocaten, Antwerp).

Williams, Hu, Cachard

From left to right: Professor James Hu (Shanghai Maritime University), Professor Richard Williams (IISTL) and Professor Olivier Cachard (University of Lorraine, France)

The Colloquium dinner, most generously sponsored by leading commercial law publisher Informa Law and entertainingly hosted by Head of College Professor Elwen Evans QC, was held at Sketty Hall. Informa (to whom, as ever, the IISTL remains enormously grateful) has also agreed to publish the papers presented at the Colloquium in book format in 2016, thus continuing another excellent traditional.

Talking after the event, Professor Soyer, Director of the IISTL, commented:

“The fact that this year’s Colloquium attracted record numbers of delegates from all around the world, including the US and China, is a clear sign that this event has been taken to heart by the shipping and trade community and is a permanent fixture. I would like to thank all those who helped: delegates, speakers and chairpersons, and also my colleagues at the IISTL who provided their unstinting support. I am leading a talented group of individuals here at the IISTL, who have enormous respect for each other and the sector that we aim to serve. They exemplify everything that is good about diversity and co-operation, and this becomes ever more obvious during events like this!

A number of events are planned for 2016, and the IISTL will continue to work towards achieving one of its key missions: namely bridging the gap between academia and practice.”

Soyer (11th Colloquium)

Professor Baris Soyer (Director, IISTL) presenting his paper

Insurance and fraudulent claims

Hard on the heels of legislation in the Insurance Act 2015 about fraudulent claims by the insured, readers may like to know that insurers can now take comfort from s.57 of the Criminal Justice and Courts Act 2015 concerning third party dishonesty. Essentially where there is substantial dishonesty in or about an injury claim the entire claim falls to be dismissed, subject to a “substantial injustice” exception.

Andrew Tettenborn

Free in/ Free out clauses and cargo claims

SDTM-CI v Continental Lines N.V. [2015] EWHC 1747 (Comm)

Cargo claims were brought against the shipowner under two bills of lading incorporating the terms of a charterparty which contained a clause providing “Cargo shall be loaded, spout trimmed and/or stowed at the expenses and risk of Shippers/Charterers … Cargo shall be discharged at the expenses and risk of Receivers/Charterers at the average rate of 1,500 metric tons per weather working day ……Stowage shall be under Master’s direction and responsibility…” Flaux J has held that the incorporated provision has the effect of transferring responsibility for loading and discharging away from the shipowner. To the extent that it was established that the cargo was damaged by bad loading and/or discharge, as opposed to bad stowage, the cargo interests could not recover such damages from the shipowner.

Simon Baughen

Receivables Financing

LLM Credit and security students might care to note s.1 of the Small Business, Enterprise and Employment Act 2015. This gives the right to pass regulations disallowing anti-assignment clauses where the interests of receivables financiers are concerned. This effectively reversing Helstan v Herts CC [1978] 3 All ER 262.

Andrew Tettenborn

See http://www.legislation.gov.uk/ukpga/2015/26/contents/enacted/data.htm

Arrest of Ships

An interesting decision of the Federal Court of Australia in The Sam Hawk [2015] FCA 1005. For the purpose of determining if a claimant has a maritime lien for a contractual claim (here the supply of bunkers), the law of the contract under which the bunkers were supplied controls. The court refused to follow the Privy Council in The Halcyon Isle [1981] AC 221 .

More details at http://www.hfw.com/Arrest-of-the-SAM-HAWK-October-2015

Andrew Tettenborn

Other E-Discussions Out There

This is a blog for commercial lawyers. Three other blogs (or rather, one blog and two discussion lists) help keep us well-informed and deserve a plug.

First, there’s a new North American blog based at Harvard, entitled New Private Law: Project on the Foundations of Private Law. Started brilliantly and promises well. Go to http://blogs.law.harvard.edu/nplblog/

Second, the Association of American Law Schools’ AALS Contracts listserv. Mainly US, but some English and European input too. A listserv is essentially an email exchange facility. If you have a thought, you send it to their composite email address (aalscontracts@lists.umn.edu) and it automatically goes to all subscribers. Long threads can build up. You have to be a subscriber to participate. To become one, send an email to listserv@lists.umn.edu with just the wording SUBSCRIBE AALSCONTRACTS in the message body. Enquiries to the list owner at aalscontracts-request@lists.umn.edu. You get a steady trickle of emails, which occasionally becomes a gush when something sexy comes up.

Third, there’s the Obligations Discussion Group (ODG). Also a listserv; same principles as above. Run by the excellent Prof Jason Neyers at the University of Western Ontario in London, Ontario, Canada. English and Commonwealth predominantly; some US. Intelligent, informal and fun. To join, contact Jason Neyers at jneyers@uwo.ca. A bit like London buses: you can go a long time with nothing at all and then your inbox gets deluged with argument for a few hours.

Andrew Tettenborn

24.09.2015

IISTL Members at Prestigious International Events in 2014-15

Academic staff teaching at Swansea LLM degrees are at the forefront of scholarship in their particular areas of expertise, which they combine with skilled and innovative teaching.

They are also members of the Institute of International Shipping and Trade Law (IISTL), an internationally renowned research centre, which promotes research and teaching of the highest standard in the fields of international shipping and trade law. 

The IISTL has a global reputation and its members are often invited to speak at international conferences to disseminate the results of their research. Like any other year, members of the Postgraduate Legal Studies Department with the commencement of the academic year of 2014-15 have travelled around the world delivering academic papers in prominent international events on shipping, transport and trade law.


Nikaki (S)

On 17 September 2014, Dr Theodora Nikaki delivered a keynote address at the InterTran Research Project Closing Conference in Helsinki entitled “European Intermodal Sustainable Transport – Quo Vadis?”. The InterTran project is an interdisciplinary research project focusing on the expanding new, European transport policy from a legal and logistical point of view. It is a research project financed by the Finnish Academy and The Scandinavian Institute of Maritime Law jointly. Dr Nikaki’s paper, titled “The Future of Multimodal Transport: Is the Uniform Liability System the Way Forward?”, tested the feasibility of the uniform liability system as basis of a new multimodal regime. The paper also examined the difficulties in implementing a new multimodal transport regime arising out of the existing international transport conventions, a theme which also provoked a lively debate among the participants.

Tettenborn (M)

On 11 September, Professor Andrew Tettenborn addressed the Eighth European Colloquium on Maritime Law Research, hosted by the Rotterdam Institute for Shipping & Transport Law (RISTL). The European Maritime Colloquia are a series of biannual conferences organized by leading maritime law centers in Europe, in collaboration with the Scandinavian Institute of Maritime Law (University of Oslo, Norway). The Eighth Colloquium’s theme was “Common core, PECL and DCFR: Could they change shipping law?” and Professor Tettenborn delivered a paper on “”How far the imposition of a serious good faith obligation (an important part of both PECL and DCFR) might impact on the black-and-white world of shipping contracts.” His thought-provocative paper has sparked a debate over the concept of good faith in various jurisdictions and its impact on shipping law.

‌‌Baughen (S)On 16 October, Professor Simon Baughen gave a paper at a conference at the University of Marmara on “Marine Pollution Liabilities in EU waters. New Developments” which considered the impact on oil rig operators of art. 38 of the 2013 Offshore Oil and Gas Operations Directive, art 38, extends the geographical limits of water pollution to the EEZ of Member States. The paper also considered the extent to which the CLC system of civil liability for oil pollution from ships has been undermined by civil claims attached to criminal proceedings arising out of the ‘Erika’ spill, in France, and the ‘Prestige’ spill, in Spain.

Most recently (7-8 November), Professor Bariş Soyer, the Director of the IISTL, attended the International Conference on “Hong Kong Maritime Law Forum” organised by the Hong Kong Centre for Maritime and Transportation Law (City University of Hong Kong) and delivered a paper discussing why the Athens Convention 2002 will be a good model for Asian countries to follow to regulate compensation claims for passengers carried by sea. Professor Soyer has written on this subject extensively and is currently working on a piece with Dr Leloudas, another IISTL member, evaluating how air law conventions can be utilised to fill the gaps that arise in the context of the Athens Convention.

On 8 November Professor Simon Baughen co-organised a conference at the University of Bristol on “Corporate Accountability and Access to remedies for Corporate Wrongs”, the third in a series of conferences organised by the University of Sheffield with an ESRC grant. The series will conclude in 2017 with a submission to the UN Human Rights Council based on findings from the conference series. Professor Baughen gave a paper “Life after Kiobel. The future for human rights litigations against MNCs in the US.” on the future of human rights litigation in the US District Courts under the Alien Tort Statute following the Supreme Court’s decision on the territorial reach of the statute in April 2013 in Kiobel.

Similarly, with the commencement of the new academic year, IISTL members spread around the world presenting academic papers in various international events addressing shipping, transport, trade and marine and environmental law.

Soyer (2)Professor Bariş Soyer, the Director of the IISTL, was invited to present a paper at the 8th International Conference of Maritime Law organised by the Piraeus Bar Association held at the Congress Hall of the Piraeus Port Authority (10-12 October 2013). This event was the latest in a prestigious series, first established 22 years ago, which provides a forum for maritime academics, practitioners, public officers and experts from all over the world to discuss timely issues of theoretical and practical interest. The theme of this year’s event, which was a fitting tribute to the late Emeritus Professor Anthony M. Antapassis (Athens University), to whom the conference was dedicated, was ‘Shipping in Periods of Distress. Professor Soyer’s paper, entitled ‘Early Redelivery of Chartered Vessels – Remedies Available for Shipowners’ was well received and prompted an interesting debate on the subject. The early redelivery of chartered vessels poses significant problems for shipowners. As Professor Soyer outlined, the current legal protection accorded to shipowners under English law is far from satisfactory. In his paper, Professor Soyer elaborated how shipowners could best protect themselves by incorporating contractual provisions into their agreements with charterers.

In May 2014, Professor Soyer was invited by the Italian School of Judiciary (Scuola Superiore Della Magistratura) to speak at their Conference held at Genova on international maritime law. This event, which was organised in collaboration with the Association of Bar of Genoa, attracted delegates from the Italian judiciary and legal practice. Professor Soyer in his paper evaluated the position of standard cargo insurance on offer in international insurance markets highlighting their limitations especially in the context of multimodal transport.

On 11-14 October Dr Richard Caddell participated at the Sixth Symposium on Polar Law, an annual event dedicated to the regulation of the Arctic and Antarctic regions and which has rapidly established itself as the leading scholarly forum for debating these issues. The Polar Regions – especially the Arctic – have rapidly become a core area of international focus, raising controversial questions over their future governance and the exploitation of marine resources. Dr Caddell presented a paper entitled “Regulating the Whale Wars: Freedom of Protest, Navigational Safety and the Law of the Sea in the Polar Regions” in which he examined the scope for environmental activism at sea and its conflict with other legitimate uses of ocean space. The paper was especially timely given the recent arrest of 30 Greenpeace activists for boarding the Prirazlomnaya oil platform in Russian Arctic waters, a situation that Dr Caddell examined alongside significant legal developments from a variety of other jurisdictions, which also provoked a lively debate among the participants.

Dr Caddell has also been invited to join an expert group reviewing the future protection of cetaceans (whales, dolphins and porpoises) under European Law, with a view towards reforming the current unsatisfactory and contentious legal position of these species. Moreover, in late October he presented a paper entitled “Wilderness Protection in Estonia” at a workshop of invited participants at the University of Tilburg, the Netherlands. Here Dr Caddell will present research that will form part of a chapter contribution to the first major book examining European wilderness law, edited by Professor Kees Bastmeijer, scheduled for publication by Cambridge University Press in 2014.

Dr. Leloudas was invited at the 5th Annual McGill Conference on International Aviation Liability & Insurance which was held at Montreal, Canada (25-26 October 2013). The Conference is one of the main international events in the field of carriage of passengers by air and attracts aviation legal professionals from all over the world. Dr. Leloudas was on the panel that discussed the erosion of the principle of exclusivity under the Warsaw and the Montreal Conventions, a principle which creates a constant stream of case law worldwide with often mixed results. Dr. Leloudas was one of the very few academics from outside McGill who was invited to speak at the Conference.

Leloudas (s)Furthermore, Dr George Leloudas was invited to present a paper to the LL.M (Air Law) students of the Institute of Air & Space Law of McGill University in Canada (24 October 2013). The paper was entitled “Multimodal Transport under the Montreal and the Warsaw Convention: a velvet revolution?” in which he examines the boundaries of application of the air law conventions in a multimodal context. This issue is in high academic and practical demand as result of conflicting case law developing in continental, English and US courts, with Dr. Leloudas providing his interpretation of the current judicial developments and his prediction as to where the future lies. The presentation gave the impetus for a heated discussion among the students, the academics of the Institute and the speaker on the (dis)uniformity of this area of law and the commercial reasons behind the latest judicial developments.