What is Cyber Subrogation?

Cyberattacks have become increasingly frequent and costly.  In 2015 alone, an estimated 300 million records were leaked and over $1 billion stolen.  By 2017, this number has only risen, with global companies becoming frequent targets.  This year, a specific malware cyber-attack orchestrated and launched on Tuesday, June 27, 2017 used a “NotPetya” attack.  The malware is called NotPetya because it masquerades as the Petya ransomware.  “This [malware] is definitely not designed to make money.  This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware”.[1]

Once the malware is released into an IT system, the following ransom language appears:

If you see this text, then your files are no longer accessible, because they have been encrypted.  Perhaps you are busy looking for a way to recover your files, but don’t waste your time.  Nobody can recover your files without our decryption service.

We guarantee that you can recover all your files safely and easily.  All you need to do is submit the payment and purchase the decryption key.

Please follow the instructions:

1. Send $300 worth of Bitcoin to the following address…

This attack is said to have exploited a vulnerability in tax accounting software widely used in Ukraine, which meant the majority of those affected were based in Eastern Europe. Once inside a corporate network, the program makes its way from computer to computer, damaging the infected machines' filesystems.  Other victims of the attack included various targets in the Ukraine, British marketing giant WPP, British consumer goods giant Reckitt Benckiser, Danish shipper Maersk, FedEx, Cadbury, Mondelez International, US pharmaceutical giant Merck and global law firm DLA Piper.  That said, at least 2,000 individual companies are thought to have been affected.[2]

Hackers and cyber criminals target IT systems and their human operators.  The types of threats include:

  1. Malware/ransomware: Virtual cyber threats impacting firm systems and networks often taking advantage of system flaws, legacy technology and/or insufficient cyber protections;

  2. Social engineering: Deceptive scams, e.g. phishing, intended to manipulate users into divulging confidential data or leaving open a gateway to said information; and

  3. Insider threats: Unintentional or malicious activity on the part of a firm’s employee resulting in leaked, stolen or compromised information

Cyber loss insurance subrogation cases should be pursued in a manner comparable to property loss subrogation claims.  Brook F. Minx’s book, SUBROGATION: From Loss to Verdict covers the many details and issues confronted in handling large subrogation losses including C&O (a copy is available at no charge upon request).  These steps include:

1. Receiving prompt notification of the loss;

2. Reviewing and analyzing all relevant documents, contracts, agreements, MSA’s, etc. governing the various third-party vendor/contractor relationships for:

a. Indemnity;
b. Release(s);
c. Hold harmless;
d. Waivers of subrogation;
e. Limitations of remedies; and
f. Limitations of liability;

3. Conducting a thorough C&O investigation as soon as possible;

4. Retaining qualified computer, malware and forensic experts;

5. Preserving critical evidence;

6. Proceeding with negotiations; and if warranted,

7. Filing a subrogation recovery lawsuit against all potential defendants.

While this is an oversimplification of the many intricacies and steps involved in a large subrogation loss methodology, Brook F. Minx’s methodology remains consistent focusing each step on saving the insurer expense dollars.

With respect to securing recovery, the insurer still must locate a defendant with either enough liability insurance or assets to cover the damages which arise from a cyberattack. Not only must the insurer locate an appropriate defendant, the insurer must also demonstrate either that the defendant failed to follow the continuously evolving basic standard of care in the cyber industry or otherwise breached a contract.

A prime example comes by way of analogy between a computer hacker and an arsonist.  There is clearly an inherent minimal likelihood of recovery against either.  Thus, the subrogation professional must look to other potential defendants that may have inadvertently or improperly enabled or failed to prevent the intentional act.  After an arson fire loss, a subrogation team would target security companies or contractors who were hired to protect the property.  Similarly, after a cyberattack, the team would investigate the security companies who were hired to secure the subject network including contractors/vendors who worked on and provided equipment.  Thus, with any large cyber loss claim, the question is asked: Who is to blame for the data breach?

The only cyber subrogation lawsuit as a matter of public record that has been reported involves a claim for $150,000 brought by Travelers Insurance as the insurer of Alpine Bank.[3]  Alpine Bank incurred over $150,000 in costs associated with notifying its customers of a security breach that occurred while Ignition Studio, Inc. was under contract to design and service the bank’s security system.  This case settled out of court rather quickly for an undisclosed final amount.

The subrogation targets of many cyber subrogation lawsuits will be entities that either provided equipment or were responsible for maintaining and securing the network.  These potential targets include:

  1. Data storage companies (such as Dropbox);

  2. Companies that provide website and database maintenance (such as Thompson Reuters Eclipse);

  3. Various companies that maintain contracts with the insured; and

  4. Software companies that provide network protection (such as Norton Antivirus).

It is of the utmost importance to retain knowledgeable forensic experts who can not only determine the cause of the breach but who can also assess whether these potential defendants performed their work in compliance with the ever-evolving industry standards for cyber security.

Cyber subrogation cases have many similarities to other types of large loss subrogation cases.  With the right team of experts and plan of attack, cyber subrogation recovery will become more prevalent in this emerging field due to the increasingly costly, frequent nature and magnitude of these cyberattacks.

[1] Comments by noted computer security veteran The Grugq, https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/.

[2] Catrin Shi and Adam McNestrie, Property Market Braced for Merck Cyber-attack Claim, The Insurance Insider, http://www.insuranceinsider.com/?page_id=1269671&utm_source=Insider-Publishing&utm_medium=Email&utm_content=Untitled3&utm_campaign=Property+market+braced+for+Merck+cyber-attack+claim&utm_cid=324.

[3] Travelers Cas. & Sur. Co., as subrogee and assignee of Alpine Bank v. Ignition Studio, Inc., 2015 WL 672169 (N.D. Ill. 2015) (Travelers’ insured, Alpine Bank, engaged Defendant to design, maintain and service a website for the bank.  Defendant agreed to perform these services for the bank for a fee.  Defendant made several errors with regard to its maintenance and servicing for the website.  Directly because of Defendant’s substandard work in servicing the website, hackers obtained illegal access to the site.).