back to article Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay

Critics unhappy about insurers excluding certain nation-state attacks from cyber policies should consider the alternative: higher prices, according to Lloyd's of London. Based in the UK, Lloyd's is a marketplace of insurance buyers and sellers, rather than a company, and has 77 cyber risk insurers under its wing for which it …

  1. Richard 12 Silver badge

    Excluding them makes it worthless

    As it immediately means the vast majority of claims will not pay out.

    You can't have it both ways, Lloyds.

    1. Snake Silver badge

      Re: Excluding them makes it worthless

      I agree. If the product doesn't provide the support that you need or expect, stop buying / supporting the product.

      Let's see how far that gets Lloyds.

      1. Anonymous Coward

        Re: Excluding them makes it worthless

        And which insurance company are you going to switch to that will cover state hackers?

        Or are you just going to buy the equivalent of the Lloyds policy from someone else out of pique?

        Or are you just going to drop cyber insurance and self insure?

    2. Claptrap314 Silver badge

      Re: Excluding them makes it worthless

      If you were one of the ones (like me) who foolishly thought that insurance might be the white knight to fix the software industry, then it is YOU who are wanting it both ways, as demonstrated by your current complaint.

      Insurance has very rarely covered acts of war, and I'm surprised that cyber was covering it in the first place.

      In practice, this is going to gut the cyber insurance market, but it's not the insurance company's fault. As an industry, our posture is so shoddy that ANY determined actor can acquire the capability to wreak server havoc (heh). Which means that nation-states are going to completely p0wn any target that they really want.

      The problem is that our industry is simply too sloppy for insurance. The insurance companies are figuring this out, and the results are inevitable.

      1. Richard 12 Silver badge

        Re: Excluding them makes it worthless

        By the normal "acts of war" definition (state declared), the only cyber attacks that have ever been acts of war are the ones perpetrated by Russia upon Ukraine.

        Excluding state actors would also mean things like refusing to cover a police car crashing into your building, leaving it to you to recover the costs from the police without any assistance.

        On the other hand, perhaps killing off the entire ransomware insurance industry will take out the ransomware industry too.

        1. Alan Brown Silver badge

          Re: Excluding them makes it worthless

          " the only cyber attacks that have ever been acts of war are the ones perpetrated by Russia upon Ukraine."

          Russia's cyber attacks on satellite terminals knocked out supervisory and safety systems at almost all windfarms in Europe

          The TARGET might have been Ukraine, but the splash damage was widespread

          And yes the industry is hellaciously sloppy. Not only on security

        2. Claptrap314 Silver badge

          Re: Excluding them makes it worthless

          They've updated the Geneva Conventions on this point.

  2. VoiceOfTruth Silver badge

    The problem lies with the cyber world, not Lloyds

    In the IT world, cyber by extension, it has been shown that supposed "best practices" are not actually that good against a determined attacker. This is a different kettle of fish compared to measuring the tread on a set of tyres.

    How many of us have done the equivalent of a "#include" or "import" of whatever package or module, and NOT done ANY due diligence on it? The great mantra of the Linux world is "the community maintains/monitors it". The term "community" is a misnomer when it turns out one of two people are actually doing the maintaining. Then when a flaw comes along, e.g. log4j, some people jump up and down waving their fists and beating their chests that it was vulnerable and nobody noticed until now. Despite being used by huge numbers of people, none of them did the due diligence. None. I bet the same people could measure their tyre tread or even make a reasonably good guess that it's time for new tyres. The "problem" with software is that it is complicated, and to understand it takes time and money from people who are clever enough to understand it. The fact that open source software means the source is available does not mean it is being looked at by competent programmers. It's fair to say that it MAY be being looked at in some cases, and in far fewer cases it IS being actively looked at.

    The Lloyds register graded ships on build quality and materials used. They also inspected the ships to make sure the standards were not being fudged. We have no such equivalent in the IT world - it's an uncoordinated and endless list of best practices from different people and organisation which turn out to be actually not very good. We are at times barely ahead of the bad guys, and at other times we don't even know we've been compromised. Small companies are in general unable to find the right staff (meaning sufficiently competent) to ensure security, large companies regularly get compromised and come out with their "we take security very seriously" slogans.

    SolarWinds is the example of the fire station chief telling everyone to install fire detectors while its own station burned down. A company selling computer security products could not keep itself secure.

    Lloyds is right but for the wrong stated reasons. Computer security is in general a bad joke.

    1. ChoHag Silver badge

      Re: The problem lies with the cyber world, not Lloyds

      > How many of us have done the equivalent of a "#include" or "import" of whatever package or module, and NOT done ANY due diligence on it?


      You run your computers your way.

    2. An_Old_Dog Silver badge

      Re: The problem lies with the cyber world, not Lloyds

      "The Lloyds register graded ships on build quality and materials used ..."

      And, ideally, insurance companies would get their asses seriously into the computer security field and do the same sort of grading of software. Perhaps having Underwriters' Laboratories do this is appropriate (they may need to hire some(?) more(?) CompSec people). Application X or Website X uses dynamic loading of unvetted libraries and routines? Bad rating for that app or website.

      Software security ratings will in turn incentivize better practices by developers and the companies which hire them.

      "But that costs more money!". Yeah, and good door locks cost more than low-quality locks. If you " secure" your business with low-quality locks, you will pay more for insurance.

      Simply saying, "Ooh, nation-state attack, that's not covered" is simply Lloyds throwing up their hands and wanting to not seriously deal with computer security issues.

      1. gratou

        Re: The problem lies with the cyber world, not Lloyds

        Good luck finding someone ready to guarantee software quality. With their own money. It won't happen.

        1. ChoHag Silver badge

          Re: The problem lies with the cyber world, not Lloyds

          That's what insurance is for: to provide a guarentee using everybody else's money.

  3. Anonymous Coward
    Anonymous Coward

    Who's the hacker?

    How do you know if your hacker is a nation state? How would you prove that?

    Do they leave a calling card? "Regards, the North Korean government".

    If there is no proof left behind that shows it was a nation state, does that mean the insurance will pay out or are they going to argue the opposite?

    1. Anonymous Coward
      Anonymous Coward

      Re: Who's the hacker?

      Companies seem to like to say it's a "highly sophisticated state sponsored hack" probably because that sounds so much better than "some script kiddie hacked us".

      Now I wonder if they'll try to go the other way?

      Does the insurance pay out anyway if it's found that it could have been avoided?.

    2. doublelayer Silver badge

      Re: Who's the hacker?

      There are various people that study malware and attack methods to attempt to guess who did it. They're not always correct, but they're usually able to identify useful patterns and can often be trusted. I'm guessing the bar for the insurance companies is "If we can find someone speculating that it could have been a state actor, then it was an act of war and you're out of luck". That wouldn't necessarily stand up in court, but they have a lot more lawyers than you do.

      Of course, not every way a government could harm you is an act of war, but insurance companies are in the business of selling you a contract that looks like it'll cover something, then finding a reason that it really doesn't. They find the vaguest language they can which can cover a lot of unexpected things, then include as many as they can without causing the signer to become suspicious. They got a lot of mileage from the "act of God" provision, despite it not meaning anything. They found lots of reasons why the pandemic didn't count, sometimes with reasons but mostly without them. They'll do it with this as well. If you get cyber insurance, be very careful what you sign before you rely on it.

  4. Mike 137 Silver badge

    "it has been shown that supposed "best practices" are not actually that good..."

    The basic problem is that "best practice" (even according to ISO standards) turns out to be merely most common practice. Its absolute quality is generally assumed until (by very slow drift) experience tweaks it, but the update cycle is typically several years, whereas the adversary commonly operates on a weeks to months cycle.. So the guidance on defence is always running behind an evolving threat.

    The only way to correct this situation for any organisation is to define their own defence in depth using observation, research and rational thinking. Unfortunately, that can be a quite expensive continuous activity if it's going to work unless it's based on sound current intelligence and agility.

    Consequently, insurance can be a contributor to defence, but paying increasing premiums as the threat landscape hots up may not be the best option, as the money is a throw away while no incident has occurred. It's quite likely you will have paid out in premiums a significant proportion of the insurance payout when an incident finally occurs.

    There is an alternative though. Self insurance (investment in a fallback fund) can work well, not least because while not called upon it's attracting interest and therefore increasing in value.

    1. An_Old_Dog Silver badge


      ... and a group of companies who decided to self-insure could get together, pool their risks and funds, and become ... a co-operative insurance company..

      1. doublelayer Silver badge

        Re: Self-Insuring

        I'm not sure how long that would last, because one company might find that large savings account to be too tempting. Oh no, looks like some employee machines got ransomware. Let's file a claim and see if we can't turn a profit from other people's funds. You'd need some kind of contract allowing the other participants to audit claims, and they might not want to hire the people needed to do it.

  5. This post has been deleted by its author

  6. YetAnotherJoeBlow

    Cherry picking...

    If a miscreant wanted to really stick it to a company - Engineer the malware on a, say Iranian (false flag), computer with the proper time zone, language, GPS, etc. I would bet now some companies might pay the ransom.

    Insurance companies must not be allowed to cherry pick events to avoid covering say a hack. In the U.S. some states have laws like that. Or else floods, earthquakes, or fire insurance would not be sold. Sorry, those are the risks in the insurance industry.

  7. Potemkine! Silver badge

    In one hand, I despise insurers who do whatever possible not to pay their customers by finding exclusions in the small prints. They are legal extortionists.

    On the other hand, if companies cannot rely on cyberassurance, they may be more inclined to strengthen their cybersecurity. If money has to be spent, let's spend it on resources to tackle the root problem rather than dealing with the consequences only.

    == Bring us Dabbsy back! ==

  8. amanfromMars 1 Silver badge

    Caveat Emptor

    Tiernan told the paper the move was a way of being "responsible to our customers and acting with the market," claiming: "Very often in the past, these sort of corrections or evolutions to policy language happen post-event... after everything has gone wrong."

    With regard to cyber operations and/or network wars/remote virtually anonymous and practical autonomous ethereal and hearts and minds wars, that statement from Tiernan is Lloyd's declaring such insurance against those instances of novel postmodern day 0day attack which can easily have everything going wrong and badly and quicker than was ever before even imagined possible, are not viable and thus be a fraudulent and enterprising criminal product if ever on offer.

    Their refusal to entertain that, even with willing customer payment of sky high premiums on untenable policies, is perfectly understandable as such would render the entire Lloyd's leadership battle group a Titanic body for the easiest of catastrophic sinkings.

  9. Anonymous Coward
    Anonymous Coward

    Burden of proof

    How would you prove that your intrusion was not sponsored by a nation state? You have to identify your hacker and their sources of funding?

    1. S4qFBxkFFg

      Re: Burden of proof

      There are cases where the (insurer's) government specifically stated "This is / is not a war." and the insurers were obliged to go along with that. AFAIR, this is why the Malayan Emergency was not called (by Britain) the Malayan War.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like