Lloyd's to exclude certain nation-state attacks from cyber insurance policies Lloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time. In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack …
They need to up the money first. The difference between the salaries a cybersecurity professional can expect in the UK vs other developed countries is a joke. It's almost less than half.
Also, HR departments need to sort out the job descriptions on their recruitment guff. Almost all the vacancies that I've seen that would "sort of" fit me go off on wild tangents. It's almost like they try and bundle in cybersecurity with another role to try and get a two for one deal at half the price.
Yes, cybersecurity folks can end up with a lot of free time, yes that sucks if you're paying the salary, but burning out your cybersecurity folks by asking them to also do desktop support bitch work is not a good idea. They need to be fresh, all the time to be able to shoulder a massive incident should one occur. Stop looking at them as workers and more as an insurance policy. You're paying for them to be ready and to advise. You aren't paying them to spread the mayonnaise on a sandwich production line.
I see it like this...a nightclub owner has noticed that his bouncers just stand around a lot at the doors, so to get his money's worth he takes them off the doors periodically to change toilet rolls in the gents and DJ for guests. Guess what though, in getting "better value" more people are sneaking in without paying tickets. There's now a massive drug problem and shit is kicking off.
TBF, I know a good few industries, where cyber insurance premium reductions are being used to finance security improvement.
A lot of good insurance firms are working to that end, and providing proper mitigations gets you decent coverage at a decent price.
There are some that even actively work to asses and improve your security throughout the contract, and are becoming closer to MSPs than Insurance firms.
"But don't worry, we'll still accept your premiums... provided you pay on time"
"You had a 'Third Party, Fire and Theft' policy... bad luck... a nation state organised the theft, so that just leaves 'Fire'... oh, they hacked your boiler and alarm system, causing it to burn down the building... as I said, really bad luck there... can I interest you in our new 'Comprehensive' policy?"
Or read your own insurance policy? Almost all policies in almost all countries exclude "Acts of War" by default.
IMHO, the less cyber insurance policies cover, the more companies will be willing to invest in security instead of treating hacks as a business expense.
Maybe this reflects the inevitable case where a cyber attack does take out some major infrastructure. Nobody can afford for that to happen. So where’s the commensurate budget to go and deal with those obsolete PLCs and their electromechanical predecessors?
There are secondary issues like figuring out how to work on such systems without disrupting other work that needs to happen, but that can all be done.
At a minimum – key word: minimum – these policies must exclude losses arising from a war,
That sort of clause is fairly standard in insurance policies. Fun fact: that's why some wars that the UK has been involved with were not classified as wars. For example in Malaya (not a "war", it was an "emergency") and the Falklands (not a "war", it was a "conflict") there we many British subjects/dependents who suffered losses or damages, but because these weren't technically wars they could still claim on their insurance policies.
However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added [PDF], noting that nation-state-sponsored attacks are particularly costly to cover.
In other, more fulsome words, ... their, and systemic markets exposure to being found out as, and widely recognised and popularly accepted as, and therefore easily able to be found guilty in the first degree and convicted of, being a state enabler complicit in ensuring a simple means to encourage and continue egregiously repressive and oppressively punitive inequitable status quo operations against command and controlling human resources/global assets/earthly treasures/heavenly pleasures/diabolical liberties/universal rights.
And yes, that would be disastrous for them to be involved in, in any way, and thus is gravely to be regarded ...... with much as was publicly revealed and earnestly advised on about the power of ever present money over 60 years ago [on January 17, 1961] surprisingly easily made applicable to them also ...... President Dwight D. Eisenhower's Farewell Address (1961)
Sound earlier advice which quite obviously fell on deaf ears and now results in all manner of totally new formerly unimaginable unexpected consequences.
:-) In your dreams, maybe, but not nowadays in 0days
That Lloyd's Market Bulletin Ref: Y5381 is a bold admission that some attack vectors are indefensible .... and therefore more valuable than ever can be priced for and bought for exclusive use/abuse/misuse.
That in its turn makes those attack vector agents enabled to be rich beyond even the craziest of dreams ...... and that is another mother of a brand spanking new market for status quo systems to consider requires their regulation with novel invented rules which affords them a remote proxy control facility. Such is their default modus operandi/vivendi.
Take care though stepping into that market for it does not accept the folly and counsel of useful fools who be useless tools.
On the face of it this ought to be a sensible move; insurers habitually exclude acts of war, and cyberwarfare is an obvious thing to lump in with that.
But how do you define cyberwarfare? Lloyds have plumped for action by a foreign State agency. Again, that might seem fair enough, except, how do you establish who perpetrated the attack, and even if you do pin it down to some black-hat organisation, how do you decide whether they are criminal freelancers or under state control or some unholy mix of the two?
This is an abomination in principle.
It allows companies to not do the required effort to secure their systems, and instead get compensated for their lack of effort when disaster strikes.
This should not be allowed. We're not talking about a building ruined by an earthquake. Hacking is not an unforseeable event. It is ongoing and constant.
There should not be insurance on that. Do your job and secure your servers.
Home insurance is an abomination. Most houses are insecure since a brick through the window allows thieves into the house. House insurance just allows home-owners to not bother with properly securing their homes and instead just get compensated when they are robbed.
Home insurance should not be allowed......, etc.
House insurance just allows home-owners to not bother with properly securing their homes and instead just get compensated when they are robbed.
Actually, no. Most home insurers will not cover theft loss if your home was not adequately secured at the time. They have very specific wording for this in policy exclusions. So if you left a window open, a door unlocked, or your doors don't have adequate locks (e.g. multipoint), claims will be denied.
It certainly doesn't encourage people to be stupidly lax about securing their home. A brick through the window isn't something you can realistically expect everyone to guard against, so naturally this kind of attack is not excluded.
That is a common myth, but absolutely not true.
The vast majority, if not all, homeowners policies DO NOT exclude coverage if you don't 'secure' your house. They'll give you small discounts for things like burglar alarms, but the discount is generally not big enough to cover the alarm monitoring cost.
I know my policy has absolutely no difference in coverage no matter whether I have high security deadbolt locks or just leave my doors open all day.
Claims are denied when they are caused by something not covered. I live in an area where a flood is damn near impossible, so I don't bother with flood coverage. If my house is flooded, a claim would be denied (and because of the location of my house, hundreds of feet above the nearest body of water, my entire city would be washed away and pretty much every insurance company on the planet would be bankrupt.)
Claims are NOT denied when they're caused by a named peril. Theft is a named peril in all homeowners policies. Theft is covered. Door locks are irrelevant.
"I live in an area where a flood is damn near impossible, so I don't bother with flood coverage."
Be careful with this. If you have a water pipe break just outside of your house, and it causes some damage to your house, your insurance will try to deny it. Water coming from outside the home, whether from a pipe or not, is covered under flood insurance, and not by regular homeowners insurance.
We had a pipe break right where it came through the concrete wall of the basement. It flooded part of the basement. The insurance company tried to say that the water "came from outside" and was not covered, since like you, we don't have flood insurance. We won in the end, but it is something to be aware of.
"A brick through the window isn't something you can realistically expect everyone to guard against..."
When an Italian friend visited me in the UK he was shocked to see ground-floor windows without bars, grills or security shutters and doors with windows in them instead of being steel lined. He asked why houses weren't robbed all the time.
Actually, there has always been a range of policy types in principle, from, at one end, low cost policies with negligible obligation on the insured that offer minimal cover that's hard to claim, and at the other end robust quite expensive policies that pay out fairly but demand specific security obligations to be fulfilled. If the insurer in the latter case finds out that those obligations have not been fulfilled they are unlikely to pay out. As the industry has matured, the latter type has actually come to dominate the market, so there's much less opportunity to be slack and rely on insurance as a fallback than there was in the early days of the industry.
Insurance is just one (but a necessary one) of the tools used to protect against the cyber threat (just as fire insurance is one of the tools to protect against that threat, in which case sloppy fire precautions will tend to result in non-settlement too)
It isn't cyber attack insurance that should be banned, but the payment of ransom. If the US, UK and EU collectively agreed to make ransomware payments illegal within their jurisdiction, while it would create some short term pain for victims in the long run it would greatly decrease ransomware attacks assuming it was properly enforced.
The only reason hackers switched from attacking sites and putting up their names or some message they wanted to send to encrypting data and asking for ransom is because they found a way to make their hobby a paying job thanks to the ease of receiving payment in cryptocurrency. If the income dried up, so would the attacks. I mean, would you keep showing up at work if they quit paying you?
Cyber attack insurance would still be necessary to compensate companies for lost data etc. who get hit after it is banned, or the small amount of attacks that might remain after most black hat hackers moved on to something else. The only bad part about cyber attack insurance is when it pays ransom. That just makes the problem worse, because companies don't even bear the cost of the ransom.
Cyber security is hard to do well. There a bunch of are easy things -- which should be mandatory things to do. And there are hard things to do. Effectively combatting human nature is by definition hard, if not impossible to do. Some, perhaps many, people simply lack the ability to recognize a dodgy URL, regardless of how many classes they're given and videos they're shown. Some, perhaps many, people will fall to scammers' tricks ("Hi, Dan, this is Matt in Accounting. There's something wrong with the system, and my password doesn't work on our SAP server. It's got some data I need to pull together a report the boss is screaming for, and I've called IT, but they're really busy and the voice system says the queue time is currently at 40 minutes. Can you do me a major big and loan me your password to the accounting interface module? I know you're really not supposed to, but it's just this once and it'd get me out of a huge jam. Oh, thank you ever so much ..."), no matter how many seminars they're sent to.
It's generally not because people are "stupid" (yes, some people are stupid, but on the average, they are not). It's a genetic thing about how their minds work. And because of that, no matter how skilled and diligent and well-supported your cybersecurity team is, eventually, a scammer will get through.
Software patches are a different kettle of worms. Some patches eliminate needed functionality, some patches are themselves buggy, and it's a crap-shoot whether a particular 0-day exploit can be successfully used against your company or not.
You have to face knowing at some day in the cybersecurity wars, you are going to lose. That is what the insurance is for.
Finger-pointing won't help, but, humans being humans, that too will continue.
(Icon 'cause they -- Boards of Directors, and insurance companies -- want to escape paying.)
Russian Army Accounting Rules:
50% for the Defence Minister
25% split among the Generals
10% split among lower ranked officers
5% split for the rear echelon logistics staff
10% for actual equipment purchases, maintenance, soldiers wages etc.
Result: "Super" power.
The thing I don't get is, why do they think that the "really sophisticated" attacks can only be carried out by governments?
Have they ever seen a government IT project? Plenty of examples elsewhere on this site. The only thing that is sophisticated about them is the ability of the same useless contractors to get massive contracts again and again despite their complete incompetence.
I listened to a podcast recently that discussed North Korea and it's state sanctioned hacks, and that they were largely in it for the money. They nearly stole a cool $1Bn from the national bank of Bangladesh. They are an oddity in this respect, but then they have a GDP equivalent to the state of Montana, so need to get cash for their nuke research somehow.
Most commentards have reflected on the inability to reliably attribute the origins of a cyber-attack. As mentioned, the bad boys and girls can be anything from sympathizers to fully-involved gangsters.
The article also mentions losses due to cyber attacks against a nation state. Successful ones. That would be the catastrophe they don't want to cover. If Germany or Bank of England or US Treasury get completely disabled for weeks, well then, a lot of things would change, and none for the better.
The consequences to companies, whether large or small, in such circumstances, are unimaginable. And then there are the people, both employees and everybody else. No, don't believe it, no insurance scheme is adequate to such a situation. Best not let it happen.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
