Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

5/30/2019
02:30 PM
Sharon Besser
Sharon Besser
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Caveat Emptor: Calculating the Impact of Global Attacks on Cyber Insurance

The reality for business owners and CISOs looking to protect their business from a cyberattack is that cyber insurance is not a catchall for protecting against risk and loss.

The cyber insurance investigation into the loss potential of the recent ransomware attack on one of the world's largest aluminum producers, Norsk Hydro, has begun. It is likely to generate increased interest in obtaining cyber insurance by manufacturers and other organizations driven by the attention raised by 2017's NotPetya worm. While the cost for the Norsk Hydro "LockerGoga" attack is yet to be calculated in full, we have already seen, as with NotPetya, a dramatic loss of income and intense business disruption.

But can cyber insurance do enough to limit the fallout for the victims of ransomware attacks? If not, how can proactive businesses ensure they are financially protected after a breach?

Calculating the Costs
The effect on the IT and insurance industries from the most recent wave of cybercrime continues to grow as businesses disclose silent cyber impacts, as well as affirmative losses from WannaCry/NotPetya. The latest reports from Property Claim Services (PCS) put the loss from NotPetya at over $3.3 billion, and it's still growing. The Norsk Hydro event is currently being evaluated by PCS to ascertain whether it meets the global cyber event designation, which would require the attack to generate a re/insured loss of at least $20 million. Recent estimates from the company suggest $40 million in losses.

Despite the payouts, for some businesses, reliance on insurance has proven inadequate. Consider US pharmaceutical company Merck. The company disclosed that the NotPetya cyberattacks have cost it as much as $580 million since June 2017, and predicted an additional $200 million in costs by the end of 2018. In contrast, experts estimated their insurance payout would be around $275 million, a huge number but under half of the amount it has incurred so far, let alone any silent costs that may continue to rise.

Other companies have been left even worse off, such as snack food company Mondelez International Inc., which is in a continuing battle with its property insurer, Zurich American Insurance Company. Mondelez filed a claim for the NotPetya attacks under a policy that included "all risks of physical loss or damage," specifying "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."

Zurich disputed the claim, based on a clause that excludes insurance coverage for any "hostile or war-like act by any governmental or sovereign power" after US intelligence officials determined that the NotPetya malware originated as an attack by the Russian military against Ukraine. Zurich is fighting the claim by Mondelez that it is wrongfully denying coverage.

What an Act of War Might Mean for Coverage
As cybercrime continues to rise, cyber insurance has businesses reconsidering their coverage. Organizations faced with a decision to take out coverage need to find space in the budget for monthly costs and potentially large premiums. For this investment to be worthwhile, businesses want to be confident that they will recover their costs if a breach happens. Therefore, selecting the "right" form of coverage becomes critical.

The insurance payouts around the NotPetya cyberattacks, and in particular the Mondelez case, throw this into question. This is especially true considering the rise in cyberattacks that are nation-backed or could plausibly be claimed to be nation-backed by insurance companies in order to dispute a claim. As regulations change and the US military is given more freedom to launch preventative cyberattacks against foreign government hackers, any evidence that suggests governmental or military attribution could be confirmation of an act of cyberwar and be legitimately used against claimants looking to settle their losses.

Will the Fine Print Affect Public Research?
The ripple effect of this could go beyond the claims sector, and, in the long run, have a connected impact on security research, and potentially free press and journalism. Traditionally, researchers have had the freedom to comment and even speculate on the attribution of cyberattacks through information on the attackers' behavior and the attack signatures they use. If insurance companies and claims handlers begin using public research as a reason to deny coverage to victims, research teams could be put in an ethical bind when faced with the realization that the results of their investigative work could exacerbate victims' woes. They may be reluctant to share their findings, due to fear of being pulled into legal proceedings by giving insurers a possible reason to withhold coverage. The net effect might end up reducing the amount of public research and the transparency of the industry overall.

Can Cybersecurity Vendors "Guarantee" Safety?
The issue of what claims to honor extends to financial guarantees from cybersecurity vendors too, not only to insurance handlers. It is becoming increasingly popular for vendors to offer warranties to customers that purchase cybersecurity products, giving real substance to their claims. However, many experts believe that cyber insurance policies have so many loopholes that they negate the benefit of any warranty. We've already addressed exclusion of coverage for the often cited "nation-state or act of God" exception. Other examples include portable devices, insider threats, or intentional acts. Even if you are widely covered for an event, does that extend to all employees? According to the latest Cyber Insurance Buying Guide, "most policies do not adequately provide for both first-party and third-party loss."

Caveat Emptor
The reality for business owners and CISOs looking to protect their business is that cyber insurance is not a catchall for protecting against risk and loss, especially as cybercrime indiscriminately crosses new lines for inflicting damage. As we've seen, the cyber insurance industry is faced with unresolved challenges to ensure protection for victims. And cybersecurity companies making big promises that are ultimately undermined by the small print are neither a guarantee of safety or recourse. Until the industry resolves out some of these issues, it's caveat emptor for businesses purchasing policies and cybersecurity solutions.

Related Content:

Sharon is vice president of products at Guardicore, responsible for driving product strategy for the company. He is an accomplished data and network security expert with a successful track record combining deep technical hands-on excellence with market vision to incubate new ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SharonB187
50%
50%
SharonB187,
User Rank: Author
6/12/2019 | 3:02:31 PM
Re: Easy question
I do not disagree :-)  There are different reasons to buy insurance. I'm saying that if your company is buying Cyber Insurance, they should be very carful and validate that indeed it will cover the risk they are trying to offset. 
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
5/30/2019 | 3:52:45 PM
Easy question
Somebody answer HOW does cyberinsurance PREVENT an attack?????  (Answer: nope - just keeps the accountants and the C-Suite happy, balances the books and looks good for PR.)  What prevents an attack?  Well a trained IT staff that knows about CSirt material and monitors endpoints and servers.  What restores an attack?  A good tested backup and recovery protocol combined with business continuity planning.  So WTF is good insurance worth?  Of little technical value but it looks good for the press conference. 
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13611
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.