Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

02:30 PM
Sharon Besser
Sharon Besser
Connect Directly
E-Mail vvv

Caveat Emptor: Calculating the Impact of Global Attacks on Cyber Insurance

The reality for business owners and CISOs looking to protect their business from a cyberattack is that cyber insurance is not a catchall for protecting against risk and loss.

The cyber insurance investigation into the loss potential of the recent ransomware attack on one of the world's largest aluminum producers, Norsk Hydro, has begun. It is likely to generate increased interest in obtaining cyber insurance by manufacturers and other organizations driven by the attention raised by 2017's NotPetya worm. While the cost for the Norsk Hydro "LockerGoga" attack is yet to be calculated in full, we have already seen, as with NotPetya, a dramatic loss of income and intense business disruption.

But can cyber insurance do enough to limit the fallout for the victims of ransomware attacks? If not, how can proactive businesses ensure they are financially protected after a breach?

Calculating the Costs
The effect on the IT and insurance industries from the most recent wave of cybercrime continues to grow as businesses disclose silent cyber impacts, as well as affirmative losses from WannaCry/NotPetya. The latest reports from Property Claim Services (PCS) put the loss from NotPetya at over $3.3 billion, and it's still growing. The Norsk Hydro event is currently being evaluated by PCS to ascertain whether it meets the global cyber event designation, which would require the attack to generate a re/insured loss of at least $20 million. Recent estimates from the company suggest $40 million in losses.

Despite the payouts, for some businesses, reliance on insurance has proven inadequate. Consider US pharmaceutical company Merck. The company disclosed that the NotPetya cyberattacks have cost it as much as $580 million since June 2017, and predicted an additional $200 million in costs by the end of 2018. In contrast, experts estimated their insurance payout would be around $275 million, a huge number but under half of the amount it has incurred so far, let alone any silent costs that may continue to rise.

Other companies have been left even worse off, such as snack food company Mondelez International Inc., which is in a continuing battle with its property insurer, Zurich American Insurance Company. Mondelez filed a claim for the NotPetya attacks under a policy that included "all risks of physical loss or damage," specifying "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."

Zurich disputed the claim, based on a clause that excludes insurance coverage for any "hostile or war-like act by any governmental or sovereign power" after US intelligence officials determined that the NotPetya malware originated as an attack by the Russian military against Ukraine. Zurich is fighting the claim by Mondelez that it is wrongfully denying coverage.

What an Act of War Might Mean for Coverage
As cybercrime continues to rise, cyber insurance has businesses reconsidering their coverage. Organizations faced with a decision to take out coverage need to find space in the budget for monthly costs and potentially large premiums. For this investment to be worthwhile, businesses want to be confident that they will recover their costs if a breach happens. Therefore, selecting the "right" form of coverage becomes critical.

The insurance payouts around the NotPetya cyberattacks, and in particular the Mondelez case, throw this into question. This is especially true considering the rise in cyberattacks that are nation-backed or could plausibly be claimed to be nation-backed by insurance companies in order to dispute a claim. As regulations change and the US military is given more freedom to launch preventative cyberattacks against foreign government hackers, any evidence that suggests governmental or military attribution could be confirmation of an act of cyberwar and be legitimately used against claimants looking to settle their losses.

Will the Fine Print Affect Public Research?
The ripple effect of this could go beyond the claims sector, and, in the long run, have a connected impact on security research, and potentially free press and journalism. Traditionally, researchers have had the freedom to comment and even speculate on the attribution of cyberattacks through information on the attackers' behavior and the attack signatures they use. If insurance companies and claims handlers begin using public research as a reason to deny coverage to victims, research teams could be put in an ethical bind when faced with the realization that the results of their investigative work could exacerbate victims' woes. They may be reluctant to share their findings, due to fear of being pulled into legal proceedings by giving insurers a possible reason to withhold coverage. The net effect might end up reducing the amount of public research and the transparency of the industry overall.

Can Cybersecurity Vendors "Guarantee" Safety?
The issue of what claims to honor extends to financial guarantees from cybersecurity vendors too, not only to insurance handlers. It is becoming increasingly popular for vendors to offer warranties to customers that purchase cybersecurity products, giving real substance to their claims. However, many experts believe that cyber insurance policies have so many loopholes that they negate the benefit of any warranty. We've already addressed exclusion of coverage for the often cited "nation-state or act of God" exception. Other examples include portable devices, insider threats, or intentional acts. Even if you are widely covered for an event, does that extend to all employees? According to the latest Cyber Insurance Buying Guide, "most policies do not adequately provide for both first-party and third-party loss."

Caveat Emptor
The reality for business owners and CISOs looking to protect their business is that cyber insurance is not a catchall for protecting against risk and loss, especially as cybercrime indiscriminately crosses new lines for inflicting damage. As we've seen, the cyber insurance industry is faced with unresolved challenges to ensure protection for victims. And cybersecurity companies making big promises that are ultimately undermined by the small print are neither a guarantee of safety or recourse. Until the industry resolves out some of these issues, it's caveat emptor for businesses purchasing policies and cybersecurity solutions.

Related Content:

Sharon is vice president of products at Guardicore, responsible for driving product strategy for the company. He is an accomplished data and network security expert with a successful track record combining deep technical hands-on excellence with market vision to incubate new ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/12/2019 | 3:02:31 PM
Re: Easy question
I do not disagree :-)  There are different reasons to buy insurance. I'm saying that if your company is buying Cyber Insurance, they should be very carful and validate that indeed it will cover the risk they are trying to offset. 
User Rank: Ninja
5/30/2019 | 3:52:45 PM
Easy question
Somebody answer HOW does cyberinsurance PREVENT an attack?????  (Answer: nope - just keeps the accountants and the C-Suite happy, balances the books and looks good for PR.)  What prevents an attack?  Well a trained IT staff that knows about CSirt material and monitors endpoints and servers.  What restores an attack?  A good tested backup and recovery protocol combined with business continuity planning.  So WTF is good insurance worth?  Of little technical value but it looks good for the press conference. 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.