In the following guest post, Alan Borst of Willie Borst ADR takes a look at the new and perhaps unappreciated exposures and risks posed by cyber counter-measures. Alan also explores the potential insurance issues related to these activities.
I would like to thank Alan for his willingness to publish his post on this site. I welcome guest post contributions from responsible authors on topics of interest to readers of this blog. Anyone interested in publishing a guest post should contact me directly. Here is Alan’s guest post:
Practitioners of the roughly ten-year old and rapidly expanding area of cyber liability insurance coverage should be startled at the recent surge in activity both in new offerings –a leading national carrier’s inclusion of bodily injury and property damage coverage — growing penetration of the market[i], and well publicized “events”. The events get the most public press, of course, and as such have the biggest impact on the insurance industry.
Cyber victims take the offense – Up to now the scholarly reporting and insurance discussion has focused on the victims of data security and privacy events, but recently the focus has shifted to law enforcement, and to the role of private security firms in developing increasingly sophisticated countermeasures. Just as the well-publicized pre-holiday hacking of the retail industry put a damper on an otherwise growing business in 2013, we should all take heart that our Justice Department has not been completely asleep and has scored a moral if not final victory over the Grinch-like community of hackers by “killing” at least one ransomware program, “Cryptolocker” in June of 2014. Here[ii]. The cited New York Times article takes a cautionary look at the emergence of cyber vigilantism in the lutte internationalle against cyber-terrorism, of which cyber extortion is only the most conspicuous form. The author, Ian Urbana, posits:
In response, more companies are resorting to countermeasures like planting false information on their own servers to mislead data thieves, patrolling online forums to watch for stolen information and creating “honey pot” servers that gather information about the intruders. Last year, companies also spent roughly $1.3 billion on insurance to help cover expenses associated with data theft. (emphasis supplied)
If we are now in the Wild West of cyber warfare it seems to be generally accepted that victims of data theft can and do follow and retrieve stolen data wherever it leads them. Acting through their forensic teams, and in collaboration with law enforcement agencies, Federal law may even protect such counter-hacking activity. The law is apparently not clear, in this regard however,[iii] so at least in theory innocent third parties may be at risk of being hacked by a victim whether or not they have participated in the original hacking event, whether they are in possession of stolen data, or indeed whether a hacking event has occurred at all. Cyber insureds who believe they have been attacked generally have a year to conduct an investigation into a reported data security or privacy event and cyber policies do not specifically provide coverage for intentional hacking of third party servers (nor do they exclude it). Insureds who conduct such countermeasures may themselves be in violation of the Computer Fraud and Abuse Act or other state and federal regulations.
Insurance implications – Will the current group of insurance policy forms protect the insured – as sometimes expanded to include “information holders”– in this new offensive role as a “hacker-in-pursuit”, or only in the defensive role of “hackee”/ victim? The cited article refers to a law school professor’s paradigm of protecting innocent third parties –“Aunt Sally[iv]”– from possible loss and uncertainty as the result of the reckless pursuit of hackers and their methods. In the case of “Aunt Sally v. Your Insured” is there coverage under your cyber policy? Is Aunt Sally an insured (if so, the Insured v. Insured exclusion may apply)? And is there an Aunt Sally exclusion? Probably not. The answer to these questions is: consult your insurance broker or qualified independent risk management consultant, read your policy provisions, then go back to the broker/consultant, again. You may decide that the risk of third party liability from the pursuit of the cyber suspects outweighs the potential reward of finding the source of any given hacking event. Keep in mind that first party cyber coverage is triggered by an actual occurrence or the reasonable belief by the insured and insurer that a breach has occurred. The carrier should clearly be on board with the decision to go after hackers or to knowingly transmitting malware.
Any coverage for affirmative hacking activity would have to fall within the definition of “Loss”, but the categories are quite broad and include crisis management with the goal of minimizing harm and restoring public confidence in the insured. Coverage is generally afforded for both the receipt and the transmission of malicious code. At least one policy from a major carrier provides coverage for “any other services approved by the Insurer at the Insurer’s sole discretion”[v]. If the policy would cover the insured’s expenses from an inadvertent transmission of the malware, why would it not cover deliberate transmission of malware designed to stop future attacks or mitigate their impact. Depending on the particular attack and role of the insured in potential future attacks, I would think that various “sting” operations could be approved or maybe even encouraged by sophisticated carriers with a long term view of the exposure. Ultimately, insurance carriers and their accumulation / clash reinsurers have an interest in the systemic risk component of almost all modern forms of cyber security. That means catching the bad guys, if that is what it takes to restore public confidence in the insured.
What if the insured gets caught up on the wrong side of a lawsuit alleging deliberate hacking or other counter-measure? As a first cut of the issue, I submit that most policy forms I have reviewed exclude coverage for intentional and criminal acts, and (more broadly) for loss “arising, based upon, or attributable” to such acts. Wisely, the policies have carve-backs of coverage for claim expenses up to the point of an adverse adjudication, arbitral award, etc. adverse to the insured. So if the insured company has negligently caused harm to a third party as the result of countermeasures from a reported hacking attack, the third party cyber coverage should respond. Nevertheless, if the counter-hacking is sufficiently unrelated to a reported hacking event, and not sanctioned by the authorities or consented to by the carrier, one could easily see a situation where the alleged victim is in fact a perpetrator, with the consequent forfeiture of coverage (including the advanced expenses). First party cyber insurance covers loss to the insured itself as the result of a data breach. That coverage essentially protects the insured’s data residing on its own servers, or those of independent contractors. But this protection would not extend to third parties whose data and systems might be harmed. Cyber coverage may further expand to anticipate this exposure more directly. In the meantime, the current policies do exclude coverage for seizure, confiscation, nationalization or destruction of a computer system by order of a government or public authority, so it is clearly advisable for insured’s not to take the law into their own hands.
Protecting Aunt Sally – Of the particular acts of counter-hacking it seems to me the one with the biggest threat to insurance coverage and public safety is the deliberate planting of false information in order to catch a thief or thwart attempts at hacking. Using lawyers and outside information holders as accomplices in this subterfuge adds another layer of complexity and uncertainty to this questionably prudent practice. If an innocent third party relies on or executes a deliberately falsified construction or manufacturing plan, resulting in property damage or bodily injury, it may not be an argument for coverage or defense to the suit itself that the insured was trying to catch a bad guy. (Or bad gal). Risk managers and their insurers may be faced with ethical issues in the course of investigating and reporting both routine and unusual cyber threats and creating resilient defenses.
As indicated by a previous post and in the Wall Street Journal here[vi], medical records have apparently become the hackers preferred booty in the data piracy sea. If the counter-measure to catch medical record pirates is to plant false medical records on health industry servers, it is not hard to see where serious medical liability exposure might result. Assume the original act of medical record hacking is covered by cyber coverage; will the forensic or other coverage parts extend to such counter-measures? Could insurers who sanction such measures become exposed to the consequences? I am not sure that insurers will necessarily be leading the attack in these murky waters, but neither will they be putting up coverage obstacles to legitimate countermeasures which are sufficiently related to a reported, covered hacking event. Ultimately, it will be the tech community in close cooperation with insurers, government agencies (the FBI and state and local law enforcement) and the insured who should be make this call when and by what means to take the offensive.
We have clearly reached the point where privacy liability and network security insurance is an indispensable part or every organization’s enterprise risk management. The insurance is as valuable for the continual assessment and re-assessment of vulnerabilities, and access to independent forensics, as it is for regulatory and civil liability expense reduction. What is more, applying advanced metrics to the flow of data security breaches helps to differentiate and prioritize them. Hackers have become sophisticated about covering their tracks, using “watering hole” techniques to troll unsuspecting third parties for data over a period of time until they find something of substantial value. Russian hackers have apparently infected websites that their targets visit often – like an on-line Chinese restaurant—with malicious software and have broken into networks of industrial control software, or I.C.S, so that when users download the latest version of the software, they also download the hacker’s malware as well. The Chinese Army that stole data from military contractors often hid their attack software in e-mailed invitations to golfing events. When hackers use these techniques they are exploiting the relatively weak defenses of the Aunt Sallys to penetrate the otherwise robust defenses of their intended targets. The harm to the occasional Aunt Sally server –the Chinese restaurant or golfing event –seems an inevitable social cost of maintaining network security. So reporting minor system breaches both to law enforcement and insurers serves a useful purpose in preventing and mitigating the cost of more serious breaches. The data thus obtained can be used by cyber defenders and governments to develop permanently improved and standardized methods. It is all part of the world wide effort to avoid “cybergeddon” – a systemic risk of internet failure. The World Economic Forum has studied the risk in detail as well as insurers’ role in the measurement of global cyber risks here[vii].
By counterattacking –setting up “honeypot” servers, bogus data banks, or a Maze[viii]—cyber-insured companies and their employees, directors and officers may at best slow down the hackers and make their work more costly, but may also face the potential risk of themselves violating the CFAA and, if so adjudicated, losing their valuable cyber coverage for economic loss, including bodily injury or property damage.
It has been said that “War is hell” and cyber war should be no different, I suppose. To prevent crime and loss of internet utility, our insureds have to adopt strong countermeasures and robust security, but insurers and risk managers will need to help define where the line is to be drawn between protecting data and systems, and deliberately breaching or corrupting them in an effort to identify hackers.
Alan is an attorney at law in New York, providing professional liability claims advocacy and mediation services at Willie Borst ADR. He has over 20 years’ experience in D&O as Vice President, Sr. Account Manager of XL Reinsurance America, a Director Complex claims AIG Domestic Claims, and most recently as a consultant with Corporate Risk Solutions, LLC. (www.crslimited.com).
[i]Business Insurance, “Purchase of cyber insurance policies on the rise: Marsh”, March 31, 2014.
[ii] “Hacker Tactic: Holding Data Hostage,” NYT 6/22/2014, pg. D4).
[iii] 18 U.S.C. § 1030(f) – Fraud and related activity in connection with computers provides:
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
There is no statutory immunity for civilians under the act, but one would assume that if the original hacking event was reported to the state or federal authorities, any countermeasures taken in connection with “investigative, protective, or intelligence activity” should be immune from federal prosecution under the CFAA. While management may be protected from criminal prosecution in its anti-hacking activity, this may not protect it from civil liability or derivative exposure from an anti-hacking event. See In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). If directors know of an illegal anti-hacking measure, fail to prevent it, and the counter measure proximately causes damage to the company, they could arguably face liability under Caremark.
[iv] As described by professor Orin S. Kerr from George Washington Law School, ”it is like a blindfolded partygoer trying to hit a piñata with a baseball bat. He might hit Aunt Sally who happens to be nearby.”
[v] Security Failure/Privacy Event Management Insurance, Definition (h) “Loss” Chartis 101018 (11/09).
[vi] What Are the Bad Guys Up to Now? Hacking Health Care Records, Apparently (D and O diary 2/19/2014).
[vii] World Economic Forum, Global Risks 2014 at section 2.4.
[viii] CloudFlare has developed a service called Maze which is “a virtual labyrinth of gibberish and gobbledygook”.