
Insurance Company Says NotPetya Is an “Act of War”, Refuses to Pay - marklyon
https://ridethelightning.senseient.com/2019/01/insurance-company-says-notpetya-is-an-act-of-war-refuses-to-pay.html
======
Scoundreller
This is why I try to avoid insurance policies wherever possible.

It’s still hard to argue with people questioning why I don’t buy insurance for
my $25k or so of household contents in a relatively secure building.

I don’t care how cheap the policy is, I’m assuming they’re charging more than
they payout on average, and I lock my doors consistently.

~~~
adetrest
I... Don't get this mentality. Yes replacing 25k worth of contents isn't
_that_ big a deal (although it would suck), but in a fire there are other
costs that dwarf your contents. Think about how much your building/unit is
worth. If the fire started in your place, you could be responsible for all
these damages (and especially your neighbour's). Can you afford to repay a
whole new building for you and your neighbours + their contents? How about
living out of a hotel for a few months while the place is being repaired
(which repairs you'll have to cover too) and potentially paying your
neighbours' bills for that as well? How does that compare to a 1000$
deductible and a 300$/year premium? To me it's a no brainer. If you really
want a low premium, get a 2 or 5k deductible, 5k contents, and shop around.
You'll also get added protection like third party liability which is usually
minimum 1 million $ and covers any damage you'd do to other's property. Of
course no-one wakes up thinking they'll set their house on fire or flood the
unit under them. And yet that happens every day. I don't know anyone who
didn't have insurance and who got struck by a fire/flood/other damages say
that they regret nothing and wouldn't buy insurance if they could go back in
time.

~~~
throwawaymath
_> Yes replacing 25k worth of contents isn't that big a deal (although it
would suck),_

This would be absolutely devastating to most people in America (and the
world). Being able to tank a $25k loss without any insurance help is a very
privileged position.

I don't have a point of contention with your comment. I just wanted to make
that observation, because I think it can be easy for many of us to forget it.

~~~
derekp7
I'm sure that most of that 25k wouldn't need to be replaced. Clothes, dishes,
furniture would be the main items. And for me, 90 percent of my closest really
needs to be purged.

~~~
xenophonf
In an apartment or house fire, you've lost _everything_. Picture your bathroom
in your mind and think of everything you need to replace just in that one
room.

Toiletries and soaps. Towels and washcloths. The shower caddy and the shower
curtain. The plunger. The cleaners under the sink. The books on the back of
the toilet.

Now do the same calculation in your kitchen, your bedroom, your family room.
The couch, those chairs, a TV, your mattress and box spring and bedsheets and
blankets, dishes and glassware and silverware, pots and pans, and so on. Even
if you own cheap stuff, that all adds up very quickly into a loss most people
can't readily absorb, even when you factor out the pile of stuff you don't
wear any more and really ought to donate. I think we could inventory a
lower/middle-income renter's belongings and spend $25K pretty easily.

~~~
Finnucane
And do it while suddenly homeless.

------
jopsen
Why should "act of war" not be covered?

If I'm going broke because of a war, why shouldn't my insurance company?

Similar, with natural disasters, those should be covered by default --
insurance companies can easily spread the risk geographically..

These exceptions feels like legacy from the "good" old days when wars were
common and globalization limited.

~~~
CPLX
Because insurance companies are generally in the business of insuring
unsystemic risk.

The entire model breaks down in cases of systemic risk, unless that has been
accounted for and dealt with. Which is why it's a major element of insurance
policies.

~~~
daniel-cussen
In Chile the insurance companies have fine print saying they won't cover
injuries resulting from paramilitary activities (reasonably sensible, OK) or
anything nuclear, right down to a nuclear bomb.

~~~
jhbadger
Even in the US it is common for home insurance to not cover nuclear war --
mine specifically says it doesn't for example. Although I suspect not getting
an insurance settlement would be the least of my concerns in that event.

------
tudorconstantin
I wonder how that insurance company expects to continue business. If they
don't pay in case of damage, why would anyone buy insurance from them?

~~~
patio11
The thing you’re buying from an insurance company is “Can you pay me in case
of a covered claim?” not “Can you pay me if I need money because something bad
happened?” If you buy medical insurance and file a claim because your house
burned down, expect not to get money. If you file a claim which falls into the
policy exclusions which are briefed at excruciating length and which you had
your lawyers review because you are a professional risk manager and know this
policy’s value to you is potentially nine figures, expect to not get money.

The reason companies with very intelligent risk managers keep paying Zurich
money is that _Zurich reliably pays out covered claims_ , as you would expect
from a highly-regulated entity. HN’s incredulity about insurance companies
routinely paying out claims staggers the imagination. They’re highly regulated
publicly traded companies which denominated claims expenses in (in this case)
billions of dollars; that isn’t code for “Psych we actually just bought
_mountains_ of cocaine and would have successfully hoodwinked all
counterparties, regulators, and courts but for the diligence of Internet
commenters.”

~~~
throwawaymath
This seems like an overly snarky and patronizing response which mostly dances
around the point at hand. You’ve effectively sidestepped the discussion to
talk down to HN commenters as a whole because you think they’re ignorant of
The Way Things Work in risk management and insurance. That’s likely true; it’s
also dismissive. Thank you for explaining to us all how insurance works, but
to be honest I don’t think that resolves whether or not this claim should be
paid.

All we’re talking about is whether or not they are right to not pay out _this
specific claim._ Do you have any justification for this being an act of war?
What is your position on that particular issue? Your comment portrays a world
in which lawyers don’t disagree because they all meticulously defined and
agreed to a contract. I think it’s very fair to conjecture neither side
thought of this particular scenario, and that as a result, there is a
legitimate problem about which reasonable people (and lawyers) disagree.

Moreover, I think it’s fair to have the orthogonal - but related - debate
about whether or not “acts of war” _should_ be covered, even if they
ultimately prove not to be in this scenario. I think it’s okay if we debate
this even if we’re not all experts in law, insurance and risk pooling. We’re
not directing policy here, we’re commenting on a message board.

Note that I’m not crusading against insurance, nor am I saying lawyers are
dumb or malicious. But I am trying to convey the very even-handed position
that people are fallible. Your comment strikes me as more of a lecture than a
substantive response to whether or not fallible people could be making a
mistake in rejecting a claim. Consider the _spirit_ of the comment to which
you replied - yes, this may turn out to be by the book for this insurance
firm. But if that’s the case, it can still be true that potential customers
will not want to purchase coverage from them because “act of war” hacking is a
risk they want to (quantifiably) share.

~~~
patio11
As I stated downthread, this claim hitting the exclusion feels very plausible
to me. Hostile acts by a foreign government are excluded. The US national
security apparatus is so convinced that they have Russia dead to rights on
this that they’ve publicized their accusation and evidence. Their accusation
is that Russia destabilized core infrastructure in several countries as cyber
aircover for the conventional war in eastern Ukraine that no intellectually
serious person disputes is happening.

I think Zurich is very plausibly right by the letter and spirit of the bespoke
contract which they struck with a sophisticated counterparty who had competent
legal advice.

You should certainly price in the risk that, if you have an uncovered loss
that you wish your insurance company would cover, your insurance company will
point to the contract and say “Uncovered loss; no.”

------
ascar
> _" hostile or warlike action in time of peace or war"_

A lot of comments jump on the war and cyber war definitions, but the article
states the exclusion is based on a "hostile or warlike action", which is a
much looser definition.

Based on the announcement of multiple governments that this attack is from
Russian origin this exclusion might very well be justified.

~~~
OkGoDoIt
Couldn’t most hacking attempts be defined as “hostile actions”? And the second
part “at a time of peace or war” effectively means all the time. Seems like an
extremely broad exclusion.

~~~
ascar
Yea, I thought that too. I imagine either the "or warlike" part or additional
text that was not quoted narrows it down to state actors or state-like actors
(e.g. terror groups like ISIS or al-Qaida). Would still be a very broad
definition.

~~~
mannykannot
I have no idea how the law would interpret it, but while 'hostile warlike act'
might narrow the scope as you suggest, 'hostile _or_ warlike act' would seem
to widen the scope to any hostile act, warlike or not. (Are there any non-
hostile warlike acts? Accidents such as so-called 'friendly fire' incidents
might fit...)

------
Animats
Source article from The Register.[1]

[1]
[https://www.theregister.co.uk/2019/01/11/notpetya_insurance_...](https://www.theregister.co.uk/2019/01/11/notpetya_insurance_claim/)

------
taspeotis
I would kind of expect the argument about not paying out to be one of
negligence on behalf of Mondelez. NotPetya uses the EternalBlue exploit which
Microsoft patched in March 2017, NotPetya was late June 2017. Don't install
security patches on 1,700 servers and 24,000 laptops for four months? Don't
get an insurance payout.

~~~
zapdrive
I'm sure negligence is covered under insurance, that's why Zurich made a claim
of "cyber war", which is harder to prove than negligence. Also if negligence
wasn't covered, almost everything can be claimed as negligence. For example,
fire started due to electric short circuit: negligence, you should have got
everything inspected every x months/years. Theft: negligence, you should have
x number of security guards. You see where I'm going?

~~~
thaumasiotes
In my mind, the usual handling of negligence is that your insurance contract
may specify steps that you're required to take in order for any eventual claim
to be valid. For example, a policy insuring your car against theft may specify
that you keep your car parked in the garage and not on the street. If your car
is stolen off the street in front of your house, you're not going to get
anything.

Conceptually, such a clause represents you guaranteeing a particular standard
of non-negligence in exchange for lower premiums.

------
wjnc
This would be a massively interesting suit, if fought out to conclusion.
Looking for a proper definition of war, you might even go back to the Hague
Conventions or some historical precedents in common law. Probably the terms
and conditions do not further specify 'war', let alone 'cyber war'. But if it
would be an easy case, the insurer wouldn't take on Mendelez, unless perhaps
as long shot to prevent ruin.

------
retrogradeorbit
And that's the last time anyone buys cyber insurance from Zurich. What's the
point of cyber insurance that doesn't cover ransom wear? Just a useless waste
of money.

~~~
detaro
They aren't not covering ransomware. I suspect future buyers are going to re-
evaluate if they really don't need coverage against being casualties of
nation-state attacks though.

~~~
closeparen
Insurance against war related damage is called reparations.

~~~
detaro
Not really, no. It's got little to do with the idea of insurance.

~~~
closeparen
Property insurance industry works with the security community to develop and
enforce standards for security operations, safes, locks, alarm systems, etc.
that reduce theft, and employs investigators to recover stolen high-value
goods.

Auto insurance industry works with the automakers and regulators to develop
and enforce standards for crash safety, airbags, crumple zones, collision
avoidance systems, etc. and employs litigators to recover damages from the at-
fault party.

Insurance companies aren't just professional gamblers. They are risk managers.
You pay them to deal with the nitty gritty of risk mitigation in whatever
domain because it's not your speciality.

How are you going to manage the risk of enemy damage in war? You're going to
wield more violence than the threat, and seize its assets to make yourself
whole. Instead of settlement or recovery, we call it reparations.

~~~
detaro
There are insurance companies that insure war risks, e.g. for facilities in
unstable countries, and those companies are not in a position to seize
reparations.

------
dgzl
Insurance companies live in the weird realm of customer service up front, and
financial defense when the whistle is blown.

------
ldp01
I wonder if you can get insurance against insurance companies not paying out?

~~~
wjnc
Yup,that's called legal insurance and is often quite an affordable backstop,
at least in the EU. Pro-tip is to get yours at another supplier than your
regular insurance to best align incentives. In things like consumer conflicts
I've never had to use my legal insurance, just announcing that you'll get them
involved usually is met with some kind of compromise.

~~~
roel_v
That's not the same. What you are talking about is an 'insurance' where you,
when you get into legal trouble, are reimbursed for (some of) your legal
costs. That's not what the GP meant.

~~~
wjnc
What the GP meant is literally quite strange. You get reimbursed re conditions
of the contract, period. If the insurer doesn't pay it's either a legally
correct action or not. If legally correct you get what you paid for. If
incorrect you need legal recourse. The only type of insurance possible against
an insurer not paying is legal insurance. Otherwise you are asking for an
insurance for you not understanding the terms and conditions. That's typical.

~~~
jopsen
> Otherwise you are asking for an insurance for you not understanding the
> terms and conditions.

Is this an unreasonable request? :)

Whenever I get insurances through work I rarely get terms and conditions? If I
do, I rarely get something specific, it's very ambiguous.. and contains
unqualified conditions.

I find that agents can rarely answer questions I have, how was I suppose to
understand things?

------
lota-putty
Insurance is like a `bottomless wishing-well`, demands regular offerings but
return favours during unforeseen emergencies not guaranteed.

------
qaq
So what is the standard of evidence for something like this? The fact that say
top security outfits did attribution to APT-blah or APT some blahBear and
there is some level of confidence that the groups might be state actors is it
really enough?

------
toss1
Not entirely surprising that insurance company is attributing this to an Act
of War.

* Russia is actively pursuing an Active Measures (активные мероприятия [1]) political war against the west

* Russian companies & persons charged by Mueller have actively used the defense in filing that their actions were Acts of War, and so not illegal. These defense claims have not yet been ruled upon, AFAIK.

* The Russian govt, former KGB organization, Oligarchs, Russian Mob, and hacker community have effectively morphed into a single operation entity.

Nevertheless, it is a bit of a stretch to consider a specific hacking event as
part of the Active Measures war. Not that it is surprising that the insurance
company tries it. They'll st least delay any payments.

This may, interestingly, raise the stakes on any cooperation with such
operations (e.g., being a funds conduit, renting out a botnet to deploy the
malware) from standard criminal conspiracy charges right up to treason. Not
sure if it will play out that way, but I wouldn't want to be the one testing
the prosecutors' discretion, or the inclination of the NatSec organizations to
get involved. Totally changes the risk profile of getting involved for those
inclined to play around the edges.

[1]
[https://en.wikipedia.org/wiki/Active_measures](https://en.wikipedia.org/wiki/Active_measures)

------
cenal
If insurance stops paying out then companies will take data security more
seriously. Their very existence will depend on it.

Net win for society from my perspective.

~~~
onion2k
Some might but many wouldn't though, because the risk of a problem occurring
is still relatively low. No insurance just means it's worse if it does happen.
The company would fail, resulting in a loss of service for their customers and
a loss of jobs for all the staff.

To use a good old car analogy, if car insurance stopped paying out people
wouldn't all immediately become better drivers.

------
mark_l_watson
I wonder what the long tail costs are for not paying the claim?

If I had any insurance policies with this company I would cancel and look
elsewhere. The insurance company must have modeled both scenarios.

------
mnm1
If they can't pay out in a case like this, they shouldn't be in business. I
hope the affected insureds sue this scumbag insurance company into the
bankruptcy it deserves. And if the whole cyber attack insurance industry goes
belly up, it sounds like a win for society: maybe these other idiot companies
will start to take security seriously rather than just trying to collect money
for their insurance companies.

------
bertil
I’m curious how much the insurance thinking was: if we pay this, more
companies will maintain bad security, pay bribes and we’ll be left to foot the
bill.

In addition to more victims, the second compounding effect of this would be
that giving money to hacker groups means they would become bolder. That might
even mean they’d potentially blur the line from State-sponsored to something
that outgrows even the authority of a (rogue) State.

------
DevX101
Companies won't take security seriously until there are real costs to losing
customer data. Right now, they can just send out an apologetic press release
after getting attacked due to their shoddy security and that's it.

------
aritmo
That's a sleazy insurance company. They use a lame excuse to avoid paying.

------
mikkom
Good luck proving conclusively in court that russia was behind the software

~~~
ceejayoz
In civil suits, the standard is a preponderance of the evidence. That makes
this pretty hard to surmount:

> Zurich American Insurance Company points to the official statements of
> national security officials from the UK, Canadian and Australian
> governments, all of which blamed Russia for the cyber attack in February
> 2018. Even the White House in the United States said the cyber attack was
> part of Kremlin efforts to destabilize the Ukrainian government.

------
gesman
It’s interesting that insurance Co didn’t point to an absence of proper
inclusion clause. They tried to find exclusions that may help them to pull the
fast one on a customer.

Which means the policy wording clearly matched the covered event.

~~~
patio11
The insurance company’s argument is “When we gave your lawyers a bespoke
contract that said ‘Irrespective of whether a loss would otherwise be covered
or not, we will not pay any claim which...’, what precisely did you think we
meant?”

They quote the language in the policy and quote the national security
apparatus as having made a determination that this was hostile action by a
foreign government or their affiliates. Contractual disputes are often
substantially less well-grounded in assertable facts than this one.

------
shard972
Just subpoena the intel agencies? Just because they haven't released the
evidence publicly doesn't mean it wouldn't seem reasonable for the intel
agencies to assist the case.

------
jimjimjim
Was there a declaration of war? Did their policy specifically mention 'cyber
war'?

what a steaming load.

insurance companies trying to squirm out of paying something is as certain as
the sun rising.

~~~
patio11
I was offered a rider on my last business insurance policy, for about a 5%
premium increase. It was labeled the Terrorism Rider but the legal code was
war, acts of state-sponsored violence, etc etc. If you don’t buy that rider,
and someone drops a bomb on your building, your claim falls into an exclusion.

These exclusions were largely inserted into new policies for risk management
after 9/11\. If you’re negotiating a 9 figure insurance policy, you have
lawyers who read the thing and can debate the issue with the insurance
company’s lawyers if there is a dispute over exactly what the bespoke language
you signed meant.

I’m not unsympathetic to the insurance company here. The intent of this
language is “We did not sign up to take on Russia. We are willing to do that,
but it isn’t free.” If somebody doesn’t negotiate for that, well, you pays
your money and you takes your chances.

~~~
posterboy
That's fine, except that the insurer has to prove the state-sponsorship beyond
reasonable doubt, no? Exceptional claims ...

~~~
patio11
“The US government has publicly claimed this was a hostile act by Russia” wins
that argument, trivially, in a US courtroom. And it will be a civil trial; the
standard will be “preponderance of evidence.”

~~~
posterboy
By the way, to get a trial going, you only have to raise reasonable doubt.
Getting beyond reasonable doubt is the problem.

~~~
patio11
“Reasonable doubt” is a term of art in law. Your use of the term does not
agree with how the legal field understands it. “Preponderance of evidence” is
another term of art, which is a strictly lower burden to meet than “beyond a
reasonable doubt.” Your understanding of which of these two standards the
legal system applies in civil cases mispredicts the behavior of the legal
system. You can confirm this representation with a lawyer of your choice.

The standard to survive an attempt to dismiss will be approximately “even
reading all factual representations as true in the most charitable reasonable
way to the suing party, no reasonable finder of fact would see a justiciable
controversy here.” You’re welcome to ask a lawyer on whether the suit would
pass that burden.

------
bredren
It takes two to tango. If a cyber war is ongoing, then I think the insurance
company should cite retaliatory action in the war as evidence. From what I can
tell western governments do not generally publicize any specifics of effective
cyber operations.

So i wonder if this puts insurance companies in a position where they benefit
from classified operations are outed to bolster the case that this was indeed
an act of war.

~~~
tgsovlerkhgsel
I thought that retaliatory action would be a good indicator, so I took a look,
and I'd say this supports Zurich's decision:

[https://techcrunch.com/2018/03/15/russian-sanctions-
treasury...](https://techcrunch.com/2018/03/15/russian-sanctions-treasury-ira-
notpetya/)

Others cited the exclusion to be worded as "hostile or warlike action in time
of peace or war", further tilting the scales in the insurance's favor.

~~~
bredren
The sanctions as retaliatory? I’d agree the are but I was thinking more of a
cyber counter offensive.

