As business leaders, you and I both know that insurance is a necessary evil. If a natural disaster hits, insurance will probably bail you out. If an office burglary occurs, insurance will usually foot the bill for property replacement.
And if a cybercriminal attacks your data and equipment with malware or another type of cyberattack, you naturally assume that your cyberinsurance policy will cover the damage.
But there’s a good chance they won’t.
Two cybercrime cases are setting the stage for the future of cybercrime coverage and, from what I can see, it’s now more important than ever for your company to ramp up cybersecurity tactics.
On June 27, 2017, a form of malware called NotPetya swept the globe. Company after company fell victim to the malware, which spread quickly and masqueraded as ransomware – though it permanently wiped data with no ransom option. Some of the largest companies impacted by NotPetya were Maersk, the global shipping company, and Merck & Co., the pharmaceutical manufacturer.
As Wired reports (in an edge-of-your-seat read), Maersk first experienced the meltdown as confused staffers lined up at the company’s IT help desk, wondering why their laptops weren’t working. In another part of the Maersk campus, an IT administrator was preparing a large software update when his computer suddenly restarted. He looked up to see if other computers in his office had been affected by the restart – and watched every other computer blink out, one after the other.
Once the IT office’s computers were restarted, they were irreversibly locked. And then the real panic began.
“Within half an hour, Maersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect them from Maersk’s network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. Tech workers ran into conference rooms and unplugged machines in the middle of meetings.” (Wired) (emphasis mine)
By 3:00 PM that day, not long after the attack was first noticed, Maersk employees were sent home. The company that controlled nearly a fifth of the world’s shipping capacity was stopped dead by one specific strain of malware.
For Merck, the experience was less dramatic, but certainly no less devastating. As Insurance Journal reports, U.S.-based employees were unable to log in to their computers when they showed up for work in the morning – and were unable to log in for weeks afterward. More than 30,000 computers and 7,500 servers were locked down from the attack, and years of pharmaceutical research was lost.
In almost no time, the global drugmaker found themselves unable to manufacture vaccines for the U.S. market, which resulted in $870 million in damages including the cost of having to borrow the entire U.S. emergency supply of one critical vaccine, Gardasil 9.
Here’s the thing: Both companies had extensive cyber insurance coverage, which should have stepped in to help them recover. But the claims were denied.
Why? Because NotPetya was created by Russian state hackers, who used it as a cyberwarfare tool against Ukraine.
As the insurance companies saw it, since NotPetya was a tool of war, it fell under the category of war exclusions. The malware’s rapid, devastating spread was simply the digital version of “friendly fire.”
I wish I had some sort of great ending to this story, something movie-worthy in which the judge yelled at the cyber insurance companies, while leaders from the global shipping and manufacturing companies jumped up from their seats cheering… but I don’t. As of right now, years after the attack, the case is still pending. In early 2020, experts will testify about war in the Age of Cyber, but the case may drag on for years.
And, in the meantime, more malware is created every hour of every day, often by nation-state hackers. If your company is hit, will your insurer consider it an act of war?
Honestly, I hope you never have to learn the answer to that last question – but in today’s malware-filled world, the odds are increasing that your company, my company, everyone’s company will be hit by malware, ransomware, phishing, and other malicious hacking attacks.
Which means that the smart choice is to prepare your company, so you can get back to work quickly and minimize your costs if you do fall victim to an attack.
One of the top ways to ensure that your company can get back to business fast is to perform regular backups every few minutes, so you don’t lose time restoring days or weeks of data. Downtime costs, defined as the costs your business racks up as you’re waiting to get back to normal operations, can be expensive. They’re likely the biggest cost you’d claim if you were to file a claim with your cyber insurance provider – and with the ongoing battle for Maersk and Merck, your best course of action is to keep these costs as low as possible.
Luckily, there are a few ways you can significantly reduce your downtime costs:
Business leaders wanting fast, accurate, fail-tested backups often turn to business continuity solutions, which replicate data every few minutes and make data restoration rather quick and easy. Leaders also pay attention to cloud-to-cloud backups, so they don’t lose critical data if their cloud providers are attacked or if their cloud accounts are compromised.
Additionally, business leaders ensure that they have a quick, effective recovery time from cyberattacks by preparing a clear emergency response plan / disaster recovery plan. Most importantly, they practice that plan, so they can execute it immediately when they need to.
After all, the faster you can respond to a cyberattack, such as malware, ransomware, or phishing, the less damage the cybercriminal can cause. Less damage results in less cost, and that may be a huge consideration depending on how these cyberwarfare insurance coverage cases turn out.
And, uh, while you’re at it, how about you take a moment to back up your systems, right now. It’s a really smart idea.