Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

5/30/2019
02:30 PM
Sharon Besser
Sharon Besser
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Caveat Emptor: Calculating the Impact of Global Attacks on Cyber Insurance

The reality for business owners and CISOs looking to protect their business from a cyberattack is that cyber insurance is not a catchall for protecting against risk and loss.

The cyber insurance investigation into the loss potential of the recent ransomware attack on one of the world's largest aluminum producers, Norsk Hydro, has begun. It is likely to generate increased interest in obtaining cyber insurance by manufacturers and other organizations driven by the attention raised by 2017's NotPetya worm. While the cost for the Norsk Hydro "LockerGoga" attack is yet to be calculated in full, we have already seen, as with NotPetya, a dramatic loss of income and intense business disruption.

But can cyber insurance do enough to limit the fallout for the victims of ransomware attacks? If not, how can proactive businesses ensure they are financially protected after a breach?

Calculating the Costs
The effect on the IT and insurance industries from the most recent wave of cybercrime continues to grow as businesses disclose silent cyber impacts, as well as affirmative losses from WannaCry/NotPetya. The latest reports from Property Claim Services (PCS) put the loss from NotPetya at over $3.3 billion, and it's still growing. The Norsk Hydro event is currently being evaluated by PCS to ascertain whether it meets the global cyber event designation, which would require the attack to generate a re/insured loss of at least $20 million. Recent estimates from the company suggest $40 million in losses.

Despite the payouts, for some businesses, reliance on insurance has proven inadequate. Consider US pharmaceutical company Merck. The company disclosed that the NotPetya cyberattacks have cost it as much as $580 million since June 2017, and predicted an additional $200 million in costs by the end of 2018. In contrast, experts estimated their insurance payout would be around $275 million, a huge number but under half of the amount it has incurred so far, let alone any silent costs that may continue to rise.

Other companies have been left even worse off, such as snack food company Mondelez International Inc., which is in a continuing battle with its property insurer, Zurich American Insurance Company. Mondelez filed a claim for the NotPetya attacks under a policy that included "all risks of physical loss or damage," specifying "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."

Zurich disputed the claim, based on a clause that excludes insurance coverage for any "hostile or war-like act by any governmental or sovereign power" after US intelligence officials determined that the NotPetya malware originated as an attack by the Russian military against Ukraine. Zurich is fighting the claim by Mondelez that it is wrongfully denying coverage.

What an Act of War Might Mean for Coverage
As cybercrime continues to rise, cyber insurance has businesses reconsidering their coverage. Organizations faced with a decision to take out coverage need to find space in the budget for monthly costs and potentially large premiums. For this investment to be worthwhile, businesses want to be confident that they will recover their costs if a breach happens. Therefore, selecting the "right" form of coverage becomes critical.

The insurance payouts around the NotPetya cyberattacks, and in particular the Mondelez case, throw this into question. This is especially true considering the rise in cyberattacks that are nation-backed or could plausibly be claimed to be nation-backed by insurance companies in order to dispute a claim. As regulations change and the US military is given more freedom to launch preventative cyberattacks against foreign government hackers, any evidence that suggests governmental or military attribution could be confirmation of an act of cyberwar and be legitimately used against claimants looking to settle their losses.

Will the Fine Print Affect Public Research?
The ripple effect of this could go beyond the claims sector, and, in the long run, have a connected impact on security research, and potentially free press and journalism. Traditionally, researchers have had the freedom to comment and even speculate on the attribution of cyberattacks through information on the attackers' behavior and the attack signatures they use. If insurance companies and claims handlers begin using public research as a reason to deny coverage to victims, research teams could be put in an ethical bind when faced with the realization that the results of their investigative work could exacerbate victims' woes. They may be reluctant to share their findings, due to fear of being pulled into legal proceedings by giving insurers a possible reason to withhold coverage. The net effect might end up reducing the amount of public research and the transparency of the industry overall.

Can Cybersecurity Vendors "Guarantee" Safety?
The issue of what claims to honor extends to financial guarantees from cybersecurity vendors too, not only to insurance handlers. It is becoming increasingly popular for vendors to offer warranties to customers that purchase cybersecurity products, giving real substance to their claims. However, many experts believe that cyber insurance policies have so many loopholes that they negate the benefit of any warranty. We've already addressed exclusion of coverage for the often cited "nation-state or act of God" exception. Other examples include portable devices, insider threats, or intentional acts. Even if you are widely covered for an event, does that extend to all employees? According to the latest Cyber Insurance Buying Guide, "most policies do not adequately provide for both first-party and third-party loss."

Caveat Emptor
The reality for business owners and CISOs looking to protect their business is that cyber insurance is not a catchall for protecting against risk and loss, especially as cybercrime indiscriminately crosses new lines for inflicting damage. As we've seen, the cyber insurance industry is faced with unresolved challenges to ensure protection for victims. And cybersecurity companies making big promises that are ultimately undermined by the small print are neither a guarantee of safety or recourse. Until the industry resolves out some of these issues, it's caveat emptor for businesses purchasing policies and cybersecurity solutions.

Related Content:

Sharon is vice president of products at Guardicore, responsible for driving product strategy for the company. He is an accomplished data and network security expert with a successful track record combining deep technical hands-on excellence with market vision to incubate new ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
5/30/2019 | 3:52:45 PM
Easy question
Somebody answer HOW does cyberinsurance PREVENT an attack?????  (Answer: nope - just keeps the accountants and the C-Suite happy, balances the books and looks good for PR.)  What prevents an attack?  Well a trained IT staff that knows about CSirt material and monitors endpoints and servers.  What restores an attack?  A good tested backup and recovery protocol combined with business continuity planning.  So WTF is good insurance worth?  Of little technical value but it looks good for the press conference. 
SharonB187
50%
50%
SharonB187,
User Rank: Author
6/12/2019 | 3:02:31 PM
Re: Easy question
I do not disagree :-)  There are different reasons to buy insurance. I'm saying that if your company is buying Cyber Insurance, they should be very carful and validate that indeed it will cover the risk they are trying to offset. 
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15513
PUBLISHED: 2019-08-23
An issue was discovered in OpenWrt libuci (aka Library for the Unified Configuration Interface) as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang.
CVE-2019-15504
PUBLISHED: 2019-08-23
drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir).
CVE-2019-15505
PUBLISHED: 2019-08-23
drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir).
CVE-2019-15507
PUBLISHED: 2019-08-23
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. Th...
CVE-2019-15508
PUBLISHED: 2019-08-23
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fi...