At the Wall Street Journal Elizabeth Braw wonders whether insurance should cover damages due to hacking:
In the best-case scenario, today’s hybrid warfare drives up the cost of insurance enormously, as in the Strait of Hormuz. Anthony Gurnee, CEO of Ardmore Shipping, told CNBC in July that the cost of covering a trip through the strait had grown 10-fold in two months.
Other corporate victims of foreign assaults are even unluckier. Two years ago, the NotPetya attack, a virus targeting Ukrainian government agencies and businesses, spread to various multinational corporations. It caused an estimated $870 million in losses to Merck; $400 million to FedEx ’s European subsidiary, TNT Express; $300 million to Maersk, the Danish shipping giant; and $188 million to Mondelez, which makes Oreos.
It’s unclear if some of those companies will get an insurance payout. Mondelez’s and Merck’s claims have both been denied on grounds that the NotPetya attack was an act of war—an argument supported by the fact that several countries including the U.K. and the U.S. attributed the attack to Russia. Both companies are fighting in court with their insurance companies.
Attacks on businesses linked to foreign governments are becoming increasingly frequent. Hackers working for Beijing and Pyongyang regularly target Western companies. Last year the U.S. Department of Homeland Security and the Federal Bureau of Investigation reported that hackers linked to Russian government operatives have attacked American firms in a variety of sectors, including energy, water, aviation and manufacturing. This is the new state of foreign policy. Earlier this summer the U.S. reportedly hacked the Russian grid.
If the risks of hybrid warfare become too high, certain business activities—think sending cargo ships along particular routes or operating critical national infrastructure such as power plants—may become uninsurable. Businesses are cheap, easy and largely risk-free targets. Western countries’ march toward smart cities, and their increasing use of the internet of things, make their companies and residents more vulnerable still.
My answer is it depends. Maritime insurance usually covers damages due to acts of piracy but not from foreign navies. Consequently and in full recognition that often it’s very difficult to tell, I would think that the source of the hacking would determine whether the risk was insured or not.
As to the broader question she asks, yes, government-sponsored hacking is an act of war just as espionage or sabotage by foreign agents are. The factor that links private hacking with the government-sponsored sort is that government action is required. Just as tamping down the damage done by piracy required intervention by governments, so does that done by hacking.
Under a Westphalian system it is the responsibility of governments to control wrongdoers operating within their own borders and we should requiring Russia, China, or North Korea (the big three of hacking) to deal with hackers operating from within their countries.
Whether they or we take hacking seriously or not, insurance companies should be pricing insurance according to the risk and that includes risk from hackers. We should not be subsidizing shipping companies by indemnifying them against losses. It may be that globalization and global communications networks are a lot more expensive than had been thought.
Eventually, the insurance companies will include it as a specific exclusion, and they might offer a rider to include it. Homeowners insurance specifically excludes most water damage, and I need a rider for wind damage.
I think the reason for “act of war” exclusions is that the cost of war are too great for the financial resources of the insurance company. That “war” is being defined down to routine intentional acts by hostile parties, with or without government direction, seems like an over-step. Insurance companies paid claims from 9/11, though I believe there was litigation concerning whether the attacks were a single incident or two, etc.
Your comment gets to the crux of my point. Other than self-inflicted injuries any risk is insurable but it may be true that the actual cost of insuring against some risks is so high that few if any would purchase the insurance. Widespread piracy and war probably fit into those classifications.
However, we should either be dealing harshly with pirates, warmakers, and hackers (harshly as in bombing them not harshly as in issuing stern warnings) or, if the risks of dealing harshly are too high as is the case with Russia and China, the two gravest violators, insurers should offer insurance with premiums high enough that they can actually make money doing it and we should otherwise let the chips fall where they may. I think it may be the case that doing business with a China unwilling to conform to the agreements into which it has entered is just too expensive.
The cost of cybercrime, much of it borne by the United States, was $3 trillion in 2015 and is expected to be an order of magnitude larger than that by 2021. We should be taking it more seriously, particularly since so much of it is state-sponsored.