Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

02:30 PM
Sharon Besser
Sharon Besser
Connect Directly
E-Mail vvv

Caveat Emptor: Calculating the Impact of Global Attacks on Cyber Insurance

The reality for business owners and CISOs looking to protect their business from a cyberattack is that cyber insurance is not a catchall for protecting against risk and loss.

The cyber insurance investigation into the loss potential of the recent ransomware attack on one of the world's largest aluminum producers, Norsk Hydro, has begun. It is likely to generate increased interest in obtaining cyber insurance by manufacturers and other organizations driven by the attention raised by 2017's NotPetya worm. While the cost for the Norsk Hydro "LockerGoga" attack is yet to be calculated in full, we have already seen, as with NotPetya, a dramatic loss of income and intense business disruption.

But can cyber insurance do enough to limit the fallout for the victims of ransomware attacks? If not, how can proactive businesses ensure they are financially protected after a breach?

Calculating the Costs
The effect on the IT and insurance industries from the most recent wave of cybercrime continues to grow as businesses disclose silent cyber impacts, as well as affirmative losses from WannaCry/NotPetya. The latest reports from Property Claim Services (PCS) put the loss from NotPetya at over $3.3 billion, and it's still growing. The Norsk Hydro event is currently being evaluated by PCS to ascertain whether it meets the global cyber event designation, which would require the attack to generate a re/insured loss of at least $20 million. Recent estimates from the company suggest $40 million in losses.

Despite the payouts, for some businesses, reliance on insurance has proven inadequate. Consider US pharmaceutical company Merck. The company disclosed that the NotPetya cyberattacks have cost it as much as $580 million since June 2017, and predicted an additional $200 million in costs by the end of 2018. In contrast, experts estimated their insurance payout would be around $275 million, a huge number but under half of the amount it has incurred so far, let alone any silent costs that may continue to rise.

Other companies have been left even worse off, such as snack food company Mondelez International Inc., which is in a continuing battle with its property insurer, Zurich American Insurance Company. Mondelez filed a claim for the NotPetya attacks under a policy that included "all risks of physical loss or damage," specifying "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."

Zurich disputed the claim, based on a clause that excludes insurance coverage for any "hostile or war-like act by any governmental or sovereign power" after US intelligence officials determined that the NotPetya malware originated as an attack by the Russian military against Ukraine. Zurich is fighting the claim by Mondelez that it is wrongfully denying coverage.

What an Act of War Might Mean for Coverage
As cybercrime continues to rise, cyber insurance has businesses reconsidering their coverage. Organizations faced with a decision to take out coverage need to find space in the budget for monthly costs and potentially large premiums. For this investment to be worthwhile, businesses want to be confident that they will recover their costs if a breach happens. Therefore, selecting the "right" form of coverage becomes critical.

The insurance payouts around the NotPetya cyberattacks, and in particular the Mondelez case, throw this into question. This is especially true considering the rise in cyberattacks that are nation-backed or could plausibly be claimed to be nation-backed by insurance companies in order to dispute a claim. As regulations change and the US military is given more freedom to launch preventative cyberattacks against foreign government hackers, any evidence that suggests governmental or military attribution could be confirmation of an act of cyberwar and be legitimately used against claimants looking to settle their losses.

Will the Fine Print Affect Public Research?
The ripple effect of this could go beyond the claims sector, and, in the long run, have a connected impact on security research, and potentially free press and journalism. Traditionally, researchers have had the freedom to comment and even speculate on the attribution of cyberattacks through information on the attackers' behavior and the attack signatures they use. If insurance companies and claims handlers begin using public research as a reason to deny coverage to victims, research teams could be put in an ethical bind when faced with the realization that the results of their investigative work could exacerbate victims' woes. They may be reluctant to share their findings, due to fear of being pulled into legal proceedings by giving insurers a possible reason to withhold coverage. The net effect might end up reducing the amount of public research and the transparency of the industry overall.

Can Cybersecurity Vendors "Guarantee" Safety?
The issue of what claims to honor extends to financial guarantees from cybersecurity vendors too, not only to insurance handlers. It is becoming increasingly popular for vendors to offer warranties to customers that purchase cybersecurity products, giving real substance to their claims. However, many experts believe that cyber insurance policies have so many loopholes that they negate the benefit of any warranty. We've already addressed exclusion of coverage for the often cited "nation-state or act of God" exception. Other examples include portable devices, insider threats, or intentional acts. Even if you are widely covered for an event, does that extend to all employees? According to the latest Cyber Insurance Buying Guide, "most policies do not adequately provide for both first-party and third-party loss."

Caveat Emptor
The reality for business owners and CISOs looking to protect their business is that cyber insurance is not a catchall for protecting against risk and loss, especially as cybercrime indiscriminately crosses new lines for inflicting damage. As we've seen, the cyber insurance industry is faced with unresolved challenges to ensure protection for victims. And cybersecurity companies making big promises that are ultimately undermined by the small print are neither a guarantee of safety or recourse. Until the industry resolves out some of these issues, it's caveat emptor for businesses purchasing policies and cybersecurity solutions.

Related Content:

Sharon is vice president of products at Guardicore, responsible for driving product strategy for the company. He is an accomplished data and network security expert with a successful track record combining deep technical hands-on excellence with market vision to incubate new ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
5/30/2019 | 3:52:45 PM
Easy question
Somebody answer HOW does cyberinsurance PREVENT an attack?????  (Answer: nope - just keeps the accountants and the C-Suite happy, balances the books and looks good for PR.)  What prevents an attack?  Well a trained IT staff that knows about CSirt material and monitors endpoints and servers.  What restores an attack?  A good tested backup and recovery protocol combined with business continuity planning.  So WTF is good insurance worth?  Of little technical value but it looks good for the press conference. 
User Rank: Author
6/12/2019 | 3:02:31 PM
Re: Easy question
I do not disagree :-)  There are different reasons to buy insurance. I'm saying that if your company is buying Cyber Insurance, they should be very carful and validate that indeed it will cover the risk they are trying to offset. 
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...