SYLVIE DOUGLIS, BYLINE: NPR.
(SOUNDBITE OF DROP ELECTRIC’S “WAKING UP TO THE FIRE”)
DARIAN WOODS, HOST:
This is THE INDICATOR FROM PLANET MONEY. I’m Darian Woods.
PADDY HIRSCH, HOST:
And I’m Paddy Hirsch. The United States is not at war with Russia, but Russian hackers are at war with the U.S. – at least that’s the message that President Biden sent in a recent speech directed to American businesses.
(SOUNDBITE OF SPEECH)
PRESIDENT JOE BIDEN: …Planning a cyberattack against us. And as I said, the magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming. The federal government…
WOODS: It’s not clear how many American companies have been targeted by Russian hackers since the West and its partners imposed sanctions, but companies have tried to prepare themselves. Some have the resources to build systems to keep hackers out, but that can be a long and expensive process.
HIRSCH: Yeah. Instead, many companies will likely rely on insurance to cover any losses that they might suffer in an attack. But corporations that have already been hacked or wormed or otherwise cyberassaulted by entities with connections to the Kremlin have found that their insurance comes with a catch.
WOODS: This is not going to be a surprise to anybody who heard THE INDICATOR’s story on insurance in the music industry business a few weeks ago.
HIRSCH: Yes, indeed – not the same catch, of course, but a catch nonetheless. A single line in company insurance policies is allowing insurance to deny them coverage from cyberattacks, or at least attempt to deny them, and that’s causing a big stir in the insurance business today.
WOODS: On today’s show, cyberwarfare and insurance – what’s covered, what’s changing, and how this will affect you – coming up after the break.
(SOUNDBITE OF MUSIC)
WOODS: It’s a sad fact of modern life that hacking or being hacked has kind of just become another part of doing business for companies these days.
HIRSCH: Josephine Wolff is a professor of cybersecurity policy at the Tufts Fletcher School. She says that up until relatively recently, most companies have relied on their regular insurance policies to protect themselves against hacks and worms and ransomware and all sorts of other cybernasties (ph).
JOSEPHINE WOLFF: Pretty much all companies have what we call property and casualty insurance, which covers pretty much all risks to firms’ property, including business interruption risks – where if you have to shut down operations for a while – and those property and casualty policies even include business interruption because of things like malware and computer security incidents.
WOODS: But computer security incidents or hacking – like holding companies for ransom – have now become so prevalent that some companies have taken one more step to protect themselves, and they’ve bought specific specialty cyber insurance as well.
HIRSCH: The problem, Josephine says, though, is that cyber insurance typically doesn’t provide much in the way of coverage, financially speaking.
WOLFF: Those policies, because there’s a lot of uncertainty around cyber risk, tend to be capped fairly low, so most companies can only get a few million dollars’ worth of cyber coverage.
WOODS: And when hackers attack, they can cause a lot more damage than a few million dollars. Ransomware attacks can be particularly painful, and they can go as high as $50 million. In a situation like that, cyber insurance for, you know, a handful of a few million is not going to cut it.
HIRSCH: Yeah, and with so many companies withdrawing from Russia or refusing to do business with Russian companies, there are now a lot more names on Russia’s hacking hit list, which means a lot more companies looking for coverage from cyberattacks. But because the cyber insurance coverage is so low, Josephine says, companies that do get hacked will often make a claim against both their cyber insurance and their regular, generic, you know, property and casualty insurance. That’s because property and casualty covers them for a lot more money.
WOODS: And this would be a smart move, apart from that single line that is included in most insurance policies. It’s called a war exclusion, and insurance policies have pretty much always had them, since the 1700s.
WOLFF: War is so unpredictable and so big and so difficult to model that the insurers can’t work that into their risk calculations.
HIRSCH: And because insurers can’t work out how to insure against war, they basically wrote their policies to say that if there is a war, then all bets are off, and you can’t make a claim – pretty simple.
(SOUNDBITE OF ARCHIVED RECORDING)
JOHN DALY: We interrupt this program to bring you a special news bulletin.
HIRSCH: But then came December 7, 1941.
(SOUNDBITE OF ARCHIVED RECORDING)
DALY: The Japanese have attacked Pearl Harbor, Hawaii, by air.
WOODS: Two thousand four hundred and three Americans were killed in the attack. Some of these people had insurance policies, and their families made claims with their insurance companies.
WOLFF: And in many cases, the insurers say, no, that was an act of war. That wasn’t something we could have modeled in this person’s life expectancy. That’s excluded.
HIRSCH: But some of these plaintiffs don’t stand for this. They make the argument that, hold on, Pearl Harbor happened in peacetime. Congress didn’t declare war until the next day.
WOLFF: And several of those cases go to court, and the courts actually have different opinions depending on where they are about whether or not Pearl Harbor is an act of war.
WOODS: The insurers win some, they lose some, and then they start making darn sure that they are not going to get caught out like this again. They start tweaking the language in their policies to make that war exclusion absolutely watertight. And this is not just for life insurance, this is for everything.
WOLFF: So the crucial language is usually something along the lines of a hostile or warlike act in times of peace or war. And you sort of see that language evolve over time, and then there are usually a few criteria that sort of go below that that say, a hostile or warlike act, including something that’s perpetrated by a government or a military – something that’s related to civil unrest or disruption.
HIRSCH: And it’s this war exception that’s roiling the insurance industry right now, as businesses brace themselves to defend against Russian hackers. Companies are realizing their cyber policies may not give them enough coverage to compensate for an attack, and they could be denied coverage on their property and casualty policies.
WOODS: The insurers, of course, are arguing what they have said for years – that attacks by Russian hackers – and there have been plenty of them – are acts of war even though the U.S. is not at war with Russia and even though the company itself may not be the actual target of an attack, like in the case of the New Jersey pharmaceutical company Merck, whose computers were infected in 2017 by a Russian virus called NotPetya.
WOLFF: The NotPetya malware was a piece of malware that was distributed through a piece of Ukrainian accounting software. Most of the infected computers were in Ukraine. But because all of our computers are connected, those infections then spread all over the world.
HIRSCH: Merck’s insurer naturally argued that the initial attack in Ukraine was an act of war, and therefore Merck wasn’t covered. A superior court judge disagreed and ruled in Merck’s favor earlier this year. Still, Josephine says, companies are scrambling to make sure that they’re covered.
WOLFF: I think everybody right now, pretty much across the globe, is worried about Russian cyberattacks in retaliation for sanctions and retaliation for all sorts of activity.
WOODS: Insurers are scrambling, too – in their case, to manage this new risk that is taking a big old bite out of their profits.
WOLFF: And they say, OK, you know, this is a problem for us. We need to raise our premiums. And you have companies going back to renew and being told your premiums have increased 200%, 300%. In the first quarter of 2021, U.S. cyber insurance premiums rose an average of 18%. But guess what? Companies keep paying because what’s the alternative? Hacking isn’t going away, and Russian hackers are more motivated than they’ve ever been to attack American businesses.
WOODS: And this is, of course, pretty bad for consumers like you and me, Paddy, for two reasons – first because, as these premiums go up and companies have to pay more, they’ll inevitably pass on the costs to consumers, and that means that prices will go up.
HIRSCH: Yes. And second, Josephine says, because of moral hazard. Remember the way the big banks were bailed out by the government in the financial crisis?
WOODS: Oh, yeah.
HIRSCH: One argument at the time was that the crisis was a catastrophic one-time thing that it was impossible to predict or plan for, and the government needed to provide assistance.
WOLFF: One of the things that insurers have been sort of pushing the government on for a few years now is we’d like something equivalent in cyber. We’d like sort of, you know, some backstop. So if something really catastrophic happens in cybersecurity, we will have some support from the government and not just be on the hook to pay out all of those claims ourselves.
WOODS: Josephine says the government has already made a vague pledge to insurers that it will backstop them if things go really bad, which just goes to show that – whether it’s phishing or ransomware, denial of service attacks or data theft – hacking is here to stay.
HIRSCH: Yes. And in the meantime, companies will be looking to insurance for protection – insurance that’s going to become increasingly expensive, maybe even provided by the government. And the cost of all this insurance, as you so correctly said, Darian, will likely be passed on to you – the consumer – in the form of higher taxes and higher prices. Have a nice day.
WOODS: Thanks, Paddy.
HIRSCH: Don’t shoot the messenger.
(SOUNDBITE OF MUSIC)
WOODS: This episode of THE INDICATOR was produced by Jess Kung, with help from Gilly Moon. It was fact-checked by Corey Bridges. Viet Le is the senior producer. Kate Concannon edits the show, and THE INDICATOR is a production of NPR.
You’re all the way into California as well, even if I had a giant bow and arrow.
HIRSCH: That’s a long shot.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.