Insurance Jottings
European Insurers Wary of Rising Threat of Sanctions Against Nord Stream 2 Pipeline
A simmering threat of sanctions against the operator of the US$11 billion Nord Stream 2 pipeline risks shutting off cover from European insurers for the politically sensitive project to bring Russian gas directly to Germany.
Kremlin-backed energy giant Gazprom leads the consortium which, despite stiff opposition from the US and some European nations, has built the pipeline under the Baltic Sea – by-passing Ukraine amid a geopolitical battle for influence in the region.
The US stepped up sanctions on companies linked with the project last week, while this month Germany’s energy regulator temporarily halted its certification process. It said the Swiss consortium behind the pipeline had to form a German unit to show it has enough funding and independence from Gazprom.
“I don’t think any insurers will touch this project with a barge pole until the situation becomes more settled,” said Leigh Hansson, a partner at law firm Reed Smith.
The US and some European opponents of Nord Stream 2 say it will make Europe too reliant on Russian gas, allowing Moscow to expand its political, economic and military influence. But other governments say it is vital to secure energy supplies, as gas prices surge and the threat of power outages looms.
Worries over fresh sanctions led top European insurers AXA and Zurich and reinsurer Munich Re to pull out of insuring the construction this year. Without cover, the pipeline operator could also be exposed to costs for damage, delays or litigation and find it harder to secure loans.
Earlier this year the Biden administration waived sanctions on the pipeline’s operating company, which theoretically enables non-US companies to provide financing and insurance, while Germany has agreed to take action if Russia uses energy as a weapon in its relations with Ukraine.
But lawyers and political risk analysts say the chances of sanctions being imposed have been heightened as a build-up of troops on Ukrainian borders fuels fears of a Russian invasion.
Moscow has dismissed talk of a new Russian assault as inflammatory, but on the 30th November NATO and the US warned Russia it would pay a “high price” for military aggression.
A spokesperson for Nord Stream 2’s Swiss-based operating company said “all construction, operation and other activities of our company are covered by appropriate insurances.” The company did not comment on its contractual partners.
Gazprom declined to comment on Nord Stream’s insurance. In the absence of European insurers, the project could use Russian entities, lawyers say. One Russian insurer Konstanta – now renamed RNCB Insurance – has already been sanctioned.
RNCB Insurance did not immediately respond to request for comment.
Sanction Threat
European insurers, such as those operating in the Lloyd’s insurance market, could in theory underwrite the pipeline, its Chief Executive John Neal said.
“We’ve been involved with the Nord Stream project previously, certainly insuring its construction,” Mr Neal said, adding: “We need to be hugely respectful of sanctions.”
Lloyd’s declined to comment further.
Munich Re CEO Joachim Wenning told Reuters it is not currently involved with Nord Stream 2 due to sanctions issues.
Zurich said it did not comment on potential or existing customer relationships but stressed that it placed high priority on sanctions compliance. AXA declined to comment.
Allianz, Europe’s biggest insurer, said it could not comment on client relationships, but a spokesperson said the German firm followed “all sanctions regimes very thoroughly.”
Pipeline Cover
With construction complete, insurance for the pipeline itself would protect against problems such as property damage, business interruption and directors and officers liability.
But the delayed approval will likely slow arrangements, said Ross Denton, head of international trade at law firm Ashurst.
One key risk is that the United States could extend sanctions to European firms at short notice, experts say.
Nigel Kushner, chief executive of London law firm W Legal, said the US has a reputation for using sanctions against tactics which aggravate NATO and the West. “The reaction of the US on almost every single occasion is to ramp up sanctions,” he continued.
“Who in their right minds would jump into something and finance something and provide support to something, because there is a risk they may be sanctioned? “Insurers are prudent, and I think they will be reticent.”
Memo Cites Lessons from Ransomware Payments by CNA, JBS and Colonial Pipeline
In March 2021, CNA Financial Corporation, one of the country’s largest insurance companies, suffered a ransomware attack from a cybercriminal group called Phoenix.
The attackers pressured the insurer to pay up quickly by raising the ransom demand, claiming the data they had was critical, and promising they would help restore everything if the company paid up.
The hackers originally informed the insurer that the ransom was “999 bitcoins,” or about US$55 million. The criminals later upped the price, stating, “Wasting time. The cost went up, 1099 BTC.”
The attackers warned the insurer that the CNA data they had was important. “It will hit hard if leaked,” they wrote. The attackers also told CNA that they would not publish anything or talk to the press about the incident if the company paid the ransom.
CNA reportedly paid a ransom of US$40 million in Bitcoin.
The ransomware attack on CNA was among the major attacks reported in 2021. Two others were:
- In May 2021, Colonial Pipeline Company, operators of the pipeline which provides nearly half of the East Coast’s fuel supply, paid DarkSide, a ransomware gang believed to operate out of Russia, US$4.4 million in Bitcoin
- In June 2021, JBS Foods USA, which owns plants which process one-fifth of the country’s meat supply, paid a ransom of US$11 million in Bitcoin after it suffered a ransomware attack, which the Federal Bureau of Investigation attributed to the criminal ransomware gang REvil (also known as Sodinokibi)
Colonial and JBS, like CNA, also had to deal with cybercriminals who kept raising the ransom price to pressure them to promptly pay millions of dollars for decryption tools and return of their data.
In each case, the criminals’ strategies included assurances that payment of the ransom would fix the situation, lead to the return of their data, and avoid negative publicity for the company. They promised they would provide decryption keys and delete their copies of the stolen data after the ransom was paid.
How exactly companies were placed under pressure to quickly pay the ransom is one of the key lessons from a Congressional inquiry by the House Committee on Oversight and Reform into multimillion dollar ransomware attacks.
The investigation examined how attackers infect companies’ systems and convince companies to pay millions of dollars for uncertain decryption tools and data return. It also examined how companies attempt to restore compromised systems after the ransom had been paid.
While the committee learned how the crimes unfolded in these cases, it also called for further examination of the factors encouraging ransom payments, “including the role of cyber insurance and the costs companies can face even after paying a ransom, especially when the cybercriminals fail to deliver on their promises.”
A memorandum dated the 16th November 2021 on the investigation from the House Committee on Oversight and Reform identified two other key lessons from the inquiry: small lapses in security led to major breaches and some companies lacked clear initial points of contact with the federal government.
The committee said neither the FBI nor the Department of Justice raised any concerns about the committee releasing the information in its memo.
Small Lapses
In all three costly attacks, the cybercriminals appear to have exploited “small failures” in security systems. In the case of Colonial, the attack started with a single stolen password for an old user profile. In the case of JBS, the failure was an old network administrator account which had not been deactivated and had a weak password. CNA’s attackers convinced a single employee to accept a fake web browser update from a commercial website.
Ransomware can move rapidly to cripple IT systems and the attack may not be detected right away. It took CNA two weeks to discover it had been hacked.
“Even large organisations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack,” the committee memo states.
Reporting Ransomware
The committee’s investigation revealed that reporting an attack to the government can be a logistical challenge for companies’ and may differ based on the company’s industry. Each of the three companies notified a variety of different federal agencies including law enforcement and faced delays in responses.
Colonial contacted at least seven federal agencies or offices. CNA was initially referred to one FBI field office and then referred to another. An e-mail from a JBS official to an FBI field office was passed around to different agents resulting in a several-hours delay in an FBI response.
The Treasury Department answered one firm’s questions regarding sanctions, while the FBI provided the information for another company.
“Some companies lacked clear initial points of contact with the federal government. Depending on their industry, companies were confronted with a patchwork of federal agencies to engage regarding the attacks they faced,” the committee noted, highlighting the importance of having “clearly established federal points of contact.”
The Aftermath
Attackers assured the companies that they would honour promises to provide a decryption key and delete their copies of the stolen data when the ransom was paid. But companies had no way of really knowing if the hackers destroyed their copies. The REvil attackers never provided JBS with proof that they had destroyed all copies of the data they stole.
Also, the companies found that while the decryption keys appear to have worked, it is unclear whether using them was the most effective option. Using the keys ran the risk of deleting legitimate files and, in other cases, the keys worked too slowly. CNA recovered its data with the help of consultants who located a repository used by the attackers. Colonial told investigators that it ended up using its own back-up tapes to restore its systems.
Committee Hearing
Carolyn Maloney, D-NY, chairwoman of the Committee on Oversight and Reform, convened a hearing on the 16th November on the cyber memo and to hear from federal officials on the government’s strategy for fighting cyber threats.
“Ransomware attacks are a serious threat to our economy, public health, infrastructure, and national security, and recent incidents show the growing number and sophistication of attacks,” Ms Maloney stated.
In addition to the CNA, JBS and Colonial attacks, she cited others involving the SolarWinds and Kaseya as shining “a spotlight on this growing national security threat.”
Ms Maloney expressed concern over the “competing pressures private sector companies – especially those serving critical public functions – and state and local governments face when confronting ransomware attacks, which often lead them to accede to attackers’ demands.”
Chris Inglis, National Cyber Director, one of several government cyber experts testifying before the committee, outlined the strategy the Biden Administration is pursuing to prioritise and coordinate the government’s efforts and its cooperation with the private sector and other countries to combat cyber-attacks.
“That strategy begins with an understanding of what makes ransomware so effective. Ransomware takes advantage of key characteristics of the modern cyber ecosystem,” Mr Inglis told the committee. He said the government is targeting these areas of the cyber ecosystem that ransomware is exploiting:
- Ransomware actors are able to purchase their tools on the black market and to mount their attacks from leased and disposable cloud-based virtual infrastructure, which they can tear down and rebuild quickly once exposed
- The systems these criminals target are too often left vulnerable by failures to patch and upgrade, to properly secure data, to create reliable back-ups, or to ensure frontline employees consistently exercise basic cybersecurity practices
- Inconsistent application of anti-money laundering controls to virtual currencies permits criminals to engage in arbitrage and to leverage permissive jurisdictions to launder the proceeds of their crime
- Finally, ransomware criminals are too often able to operate with impunity in the nation states where they reside, facing no meaningful accountability for their actions
“The Administration is bringing the full weight of US government capabilities to disrupt ransomware actors, facilitators, networks and to address the abuse of financial infrastructure to launder ransoms,” Mr Inglis stated.
He said the Administration has called on the private sector to step up its investment in cyber defences. The government has also set forth expected cybersecurity thresholds and requirements for critical infrastructure.
The government also continues to enforce anti-money laundering controls and laws while working to acquire “new capabilities to trace and interdict ransomware proceeds,” Mr Inglis stated.
Finally, Mr Inglis said the government is working with international partners to disrupt ransomware networks, impose consequences and hold accountable states which allow criminals to operate from within their jurisdictions.
“These are daunting undertakings, and overcoming them will require realising a digital ecosystem which is resilient by design, a policy and commercial environment which aligns actions to consequences, and ensuring public and private sectors are postured to proactively and decisively collaborate,” the national cyber director told the lawmakers.
On the 8th November 2021, DOJ announced charges against two foreign hackers affiliated with the criminal ransomware group REvil, the entity responsible for thousands of ransomware attacks, including on JBS Foods and Kaseya. DOJ also announced that it seized US$6.1 million in ransom payments received by the attackers.
According to the committee, in 2020, ransomware attacks on both public and private institutions in the US cost an estimated was US$19.5 billion. Additionally, recent data shows that in the first six months of 2021, financial institutions reported US$590 million in ransomware-related transactions. Current trends indicate that ransomware transactions in 2021 alone will exceed the previous ten years combined.
NZ regulator issues final climate change guidance for insurers
New Zealand’s Financial Markets Authority has issued final guidance for the financial sector – including the country’s (re)insurers – detailing its expectations on how firms should make climate-related disclosures ahead of mandatory rules coming in 2024.