Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay Critics unhappy about insurers excluding certain nation-state attacks from cyber policies should consider the alternative: higher prices, according to Lloyd's of London. Based in the UK, Lloyd's is a marketplace of insurance buyers and sellers, rather than a company, and has 77 cyber risk insurers under its wing for which it …
If you were one of the ones (like me) who foolishly thought that insurance might be the white knight to fix the software industry, then it is YOU who are wanting it both ways, as demonstrated by your current complaint.
Insurance has very rarely covered acts of war, and I'm surprised that cyber was covering it in the first place.
In practice, this is going to gut the cyber insurance market, but it's not the insurance company's fault. As an industry, our posture is so shoddy that ANY determined actor can acquire the capability to wreak server havoc (heh). Which means that nation-states are going to completely p0wn any target that they really want.
The problem is that our industry is simply too sloppy for insurance. The insurance companies are figuring this out, and the results are inevitable.
By the normal "acts of war" definition (state declared), the only cyber attacks that have ever been acts of war are the ones perpetrated by Russia upon Ukraine.
Excluding state actors would also mean things like refusing to cover a police car crashing into your building, leaving it to you to recover the costs from the police without any assistance.
On the other hand, perhaps killing off the entire ransomware insurance industry will take out the ransomware industry too.
" the only cyber attacks that have ever been acts of war are the ones perpetrated by Russia upon Ukraine."
Russia's cyber attacks on satellite terminals knocked out supervisory and safety systems at almost all windfarms in Europe
The TARGET might have been Ukraine, but the splash damage was widespread
And yes the industry is hellaciously sloppy. Not only on security
In the IT world, cyber by extension, it has been shown that supposed "best practices" are not actually that good against a determined attacker. This is a different kettle of fish compared to measuring the tread on a set of tyres.
How many of us have done the equivalent of a "#include" or "import" of whatever package or module, and NOT done ANY due diligence on it? The great mantra of the Linux world is "the community maintains/monitors it". The term "community" is a misnomer when it turns out one of two people are actually doing the maintaining. Then when a flaw comes along, e.g. log4j, some people jump up and down waving their fists and beating their chests that it was vulnerable and nobody noticed until now. Despite being used by huge numbers of people, none of them did the due diligence. None. I bet the same people could measure their tyre tread or even make a reasonably good guess that it's time for new tyres. The "problem" with software is that it is complicated, and to understand it takes time and money from people who are clever enough to understand it. The fact that open source software means the source is available does not mean it is being looked at by competent programmers. It's fair to say that it MAY be being looked at in some cases, and in far fewer cases it IS being actively looked at.
The Lloyds register graded ships on build quality and materials used. They also inspected the ships to make sure the standards were not being fudged. We have no such equivalent in the IT world - it's an uncoordinated and endless list of best practices from different people and organisation which turn out to be actually not very good. We are at times barely ahead of the bad guys, and at other times we don't even know we've been compromised. Small companies are in general unable to find the right staff (meaning sufficiently competent) to ensure security, large companies regularly get compromised and come out with their "we take security very seriously" slogans.
SolarWinds is the example of the fire station chief telling everyone to install fire detectors while its own station burned down. A company selling computer security products could not keep itself secure.
Lloyds is right but for the wrong stated reasons. Computer security is in general a bad joke.
"The Lloyds register graded ships on build quality and materials used ..."
And, ideally, insurance companies would get their asses seriously into the computer security field and do the same sort of grading of software. Perhaps having Underwriters' Laboratories do this is appropriate (they may need to hire some(?) more(?) CompSec people). Application X or Website X uses dynamic loading of unvetted libraries and routines? Bad rating for that app or website.
Software security ratings will in turn incentivize better practices by developers and the companies which hire them.
"But that costs more money!". Yeah, and good door locks cost more than low-quality locks. If you " secure" your business with low-quality locks, you will pay more for insurance.
Simply saying, "Ooh, nation-state attack, that's not covered" is simply Lloyds throwing up their hands and wanting to not seriously deal with computer security issues.
How do you know if your hacker is a nation state? How would you prove that?
Do they leave a calling card? "Regards, the North Korean government".
If there is no proof left behind that shows it was a nation state, does that mean the insurance will pay out or are they going to argue the opposite?
Companies seem to like to say it's a "highly sophisticated state sponsored hack" probably because that sounds so much better than "some script kiddie hacked us".
Now I wonder if they'll try to go the other way?
Does the insurance pay out anyway if it's found that it could have been avoided?.
There are various people that study malware and attack methods to attempt to guess who did it. They're not always correct, but they're usually able to identify useful patterns and can often be trusted. I'm guessing the bar for the insurance companies is "If we can find someone speculating that it could have been a state actor, then it was an act of war and you're out of luck". That wouldn't necessarily stand up in court, but they have a lot more lawyers than you do.
Of course, not every way a government could harm you is an act of war, but insurance companies are in the business of selling you a contract that looks like it'll cover something, then finding a reason that it really doesn't. They find the vaguest language they can which can cover a lot of unexpected things, then include as many as they can without causing the signer to become suspicious. They got a lot of mileage from the "act of God" provision, despite it not meaning anything. They found lots of reasons why the pandemic didn't count, sometimes with reasons but mostly without them. They'll do it with this as well. If you get cyber insurance, be very careful what you sign before you rely on it.
The basic problem is that "best practice" (even according to ISO standards) turns out to be merely most common practice. Its absolute quality is generally assumed until (by very slow drift) experience tweaks it, but the update cycle is typically several years, whereas the adversary commonly operates on a weeks to months cycle.. So the guidance on defence is always running behind an evolving threat.
The only way to correct this situation for any organisation is to define their own defence in depth using observation, research and rational thinking. Unfortunately, that can be a quite expensive continuous activity if it's going to work unless it's based on sound current intelligence and agility.
Consequently, insurance can be a contributor to defence, but paying increasing premiums as the threat landscape hots up may not be the best option, as the money is a throw away while no incident has occurred. It's quite likely you will have paid out in premiums a significant proportion of the insurance payout when an incident finally occurs.
There is an alternative though. Self insurance (investment in a fallback fund) can work well, not least because while not called upon it's attracting interest and therefore increasing in value.
I'm not sure how long that would last, because one company might find that large savings account to be too tempting. Oh no, looks like some employee machines got ransomware. Let's file a claim and see if we can't turn a profit from other people's funds. You'd need some kind of contract allowing the other participants to audit claims, and they might not want to hire the people needed to do it.
This post has been deleted by its author
If a miscreant wanted to really stick it to a company - Engineer the malware on a, say Iranian (false flag), computer with the proper time zone, language, GPS, etc. I would bet now some companies might pay the ransom.
Insurance companies must not be allowed to cherry pick events to avoid covering say a hack. In the U.S. some states have laws like that. Or else floods, earthquakes, or fire insurance would not be sold. Sorry, those are the risks in the insurance industry.
In one hand, I despise insurers who do whatever possible not to pay their customers by finding exclusions in the small prints. They are legal extortionists.
On the other hand, if companies cannot rely on cyberassurance, they may be more inclined to strengthen their cybersecurity. If money has to be spent, let's spend it on resources to tackle the root problem rather than dealing with the consequences only.
== Bring us Dabbsy back! ==
Tiernan told the paper the move was a way of being "responsible to our customers and acting with the market," claiming: "Very often in the past, these sort of corrections or evolutions to policy language happen post-event... after everything has gone wrong."
With regard to cyber operations and/or network wars/remote virtually anonymous and practical autonomous ethereal and hearts and minds wars, that statement from Tiernan is Lloyd's declaring such insurance against those instances of novel postmodern day 0day attack which can easily have everything going wrong and badly and quicker than was ever before even imagined possible, are not viable and thus be a fraudulent and enterprising criminal product if ever on offer.
Their refusal to entertain that, even with willing customer payment of sky high premiums on untenable policies, is perfectly understandable as such would render the entire Lloyd's leadership battle group a Titanic body for the easiest of catastrophic sinkings.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
