The thing you’re buying from an insurance company is “Can you pay me in case of a covered claim?” not “Can you pay me if I need money because something bad happened?” If you buy medical insurance and file a claim because your house burned down, expect not to get money. If you file a claim which falls into the policy exclusions which are briefed at excruciating length and which you had your lawyers review because you are a professional risk manager and know this policy’s value to you is potentially nine figures, expect to not get money.
The reason companies with very intelligent risk managers keep paying Zurich money is that Zurich reliably pays out covered claims, as you would expect from a highly-regulated entity. HN’s incredulity about insurance companies routinely paying out claims staggers the imagination. They’re highly regulated publicly traded companies which denominated claims expenses in (in this case) billions of dollars; that isn’t code for “Psych we actually just bought mountains of cocaine and would have successfully hoodwinked all counterparties, regulators, and courts but for the diligence of Internet commenters.”
Now and then, insurance companies will pull fast ones. E.g., insured dies of heart attack two years after buying policy, preexisting condition even though preexisting exclusions go away after one year according to policy.
Put mostly the dim view of insurance companies comes from health insurance in the US, which is a catastrophe.
Or someone gets cut rate car insurance and has trouble with a claim. How do you think they keep the rates so low?
This seems like an overly snarky and patronizing response which mostly dances around the point at hand. You’ve effectively sidestepped the discussion to talk down to HN commenters as a whole because you think they’re ignorant of The Way Things Work in risk management and insurance. That’s likely true; it’s also dismissive. Thank you for explaining to us all how insurance works, but to be honest I don’t think that resolves whether or not this claim should be paid.
All we’re talking about is whether or not they are right to not pay out this specific claim. Do you have any justification for this being an act of war? What is your position on that particular issue? Your comment portrays a world in which lawyers don’t disagree because they all meticulously defined and agreed to a contract. I think it’s very fair to conjecture neither side thought of this particular scenario, and that as a result, there is a legitimate problem about which reasonable people (and lawyers) disagree.
Moreover, I think it’s fair to have the orthogonal - but related - debate about whether or not “acts of war” should be covered, even if they ultimately prove not to be in this scenario. I think it’s okay if we debate this even if we’re not all experts in law, insurance and risk pooling. We’re not directing policy here, we’re commenting on a message board.
Note that I’m not crusading against insurance, nor am I saying lawyers are dumb or malicious. But I am trying to convey the very even-handed position that people are fallible. Your comment strikes me as more of a lecture than a substantive response to whether or not fallible people could be making a mistake in rejecting a claim. Consider the spirit of the comment to which you replied - yes, this may turn out to be by the book for this insurance firm. But if that’s the case, it can still be true that potential customers will not want to purchase coverage from them because “act of war” hacking is a risk they want to (quantifiably) share.
As I stated downthread, this claim hitting the exclusion feels very plausible to me. Hostile acts by a foreign government are excluded. The US national security apparatus is so convinced that they have Russia dead to rights on this that they’ve publicized their accusation and evidence. Their accusation is that Russia destabilized core infrastructure in several countries as cyber aircover for the conventional war in eastern Ukraine that no intellectually serious person disputes is happening.
I think Zurich is very plausibly right by the letter and spirit of the bespoke contract which they struck with a sophisticated counterparty who had competent legal advice.
You should certainly price in the risk that, if you have an uncovered loss that you wish your insurance company would cover, your insurance company will point to the contract and say “Uncovered loss; no.”
> All we’re talking about is whether or not they are right to not pay out this specific claim. Do you have any justification for this being an act of war? What is your position on that particular issue?
Not the parent, but the if the hackers are employees of the Russian government and the ransom money was collected by the Russian government, that seems pretty "act of war"-ish to me.
If a Russian military submarine held up an American freighter, boarded, commandeered the vessel and took the goods back to Russia, wouldn't that be an act of war? Of course this case is different, but I think it is similar enough that taking this case to court is not at all unreasonable.
The debate here is whether it was a covered claim or not.
A reasonable person would certainly think that a policy sold as cyber insurance would cover a cyber attack. And presumably a large multinational like Mondelez would have had the policy reviewed by their legal department before signing and paying the premiums.
So far as regulations - in the US standard types of policies (such as auto, home, etc.) are regulated by the states not the feds. A policy that isn't one of those likely has very few regulations around it. In which case the policy language (aka the contract) governs the relationship.
If Zurich wanted to limit the total damages, they should have put that in the policy. And then resell some of that risk to a reinsuror.
This is going to have to be settled in the courts. But in the meantime, I would be hesitant to purchase any cyber insurance from Zurich (or any other insuror) because of the uncertainty that a claim would be paid that this action introduces.
Rather than separating claims into "covered" and "not covered", I recommend a third bucket "might be covered". I think this goes into that third bucket. Whether or not this particular claim should be paid doesn't mean it's not in the third bucket.
When buying insurance, you shouldn't rely on payments for claims in the third bucket, especially not without a legal fight.
Many consumers don't understand any of this. But I expect (hope) that most large businesses are sophisticated enough to understand this.
I don't think this will hurt Zurich's business, because most of their customers probably understand this.
I agree with your conclusion, but keep in mind that most policies don't cover things that are actuarially impossible to predict, like acts of war. Both sides of this situation seem to have reasonable cases; the results will depend on the definition of "act of war."
Is "Criminal organization decides to create damaging ransomware" really so substantially different from "Criminal organization (known as the Russian Federation) decides to create damaging ransomware" that Zurich actuaries can earnestly predict the likelihood of one but not the other?
I assert that the line between cyberwar and cybercrime is very faint.
"HN’s incredulity about insurance companies routinely paying out claims staggers the imagination. They’re highly regulated publicly traded companies which denominated claims expenses in (in this case) billions of dollars;"
I used to use the "smart money" heuristic a lot in my thinking - for all of the reasons you list above, and more.
Then the 2007/2008/2009 mortgage meltdown and liquidity crisis occurred and we saw that a lot of the "smart money", including the very insurance providers and investment banks (or subsidiaries thereof) were caught unawares. AIG[1], for instance, which was in very much the same league as Zurich RE, et. al.
I would take the size of these companies, and the billions at stake, and their regulators ... and all of it ... with a big grain of salt.
What they're saying in this case, however, is that they will not pay a covered claim. That's why people are up in arms about it. Cyber war is their euphemism for yes we should pay this but we won't. It's a preposterous and ridiculous claim and everyone here knows that. So the question stands: why would anyone buy insurance from this company that won't pay out covered claims like the malware in the article? I don't care how public or big this company is, after this case, you'd have to be insane to continue paying them when to them any run of the mill cyber attack is an act of war that they won't pay. Are you going to pay theranos now for their blood testing kits? No. The trust has been lost. Then why pay this company for insurance against cyber attacks when they've proven they won't pay the covered claim? The trust has been lost there too.
Regularly paying out vaguely-calculated $100 million claims wouldn't bode well for their long-term existence either. I'm guessing that Zurich did their own assessment of the losses and came up with a much, much lower number. The article states that they were originally willing to pay $10 million. Before casting aspersions on Zurich, we should take a critical look at how Mondelez calculated $100 million of losses.
Mondelez likely threatened Zurich with extensive lawsuits when they realized the companies were an order of magnitude apart (10 vs 100mm), and Zurich threatened back with their version of Judge Smalls -- you'll get nothing, and like it!
To a commentator below who doubted they could prove Act of War conclusively in court: they will never have to -- this would be a civil case, they only have to achieve "more likely than not," which may not be difficult given the extensive declarations, as mentioned in the article, from FBI, DoD, Pentagon, etc.
US jurisprudence may be different from the Australian law I studied, but as I understand it the "more likely than not" applies to the facts in a civil case not to the legal issue of what constitutes an act of war. That is a question of existing legal precedent and statute law. If there isn't a clear legal definition of cyber war they may indeed have a difficult time proving that cyber attacks are an act of war. But they may think it is worth the effort to try and establish a precedent.
"Mondelez likely threatened Zurich with extensive lawsuits when they realized the companies were an order of magnitude apart (10 vs 100mm), and Zurich threatened back with their version of Judge Smalls -- you'll get nothing, and like it!"
It's easy to grin, when your ship comes in, and you've got the stock market beat ... but the man who's worthwhile, is the man who can smile, when his pants are too tight in the seat!
I hope the courts study this carefully before giving a judgement - ultimately this can open a can of worms if insurance companies were to claim every malware infection as an "act of war".
Honestly they don't. The deeper truth here is surely that Zurich was overexposed and just doesn't have the money to pay the claim. They know this is a ridiculous position and that they'll lose the suit, but denying the claim now lets them at least try to rework their finances and come to a settlement instead of just declaring bankruptcy and giving up.
Insurance companies make risk management mistakes too, and this is what it looks like when they do. The money Mondelez is owed isn't there.
Zurich can pay out a hundred million dollars and shrug it off. Yes, it’ll hurt for a bit, but this is nowhere near the sort of thing it would take to bankrupt them.
