For those following the information security space, it can feel as if the past year was just a series of announcements with one corporate security breach after another. Breaches like Equifax, Marriot, and many more have entered the general consciousness after the personal details of hundreds of millions of customers have fallen into the hands of hackers.
Fear of being the next target has led many companies to seek out guarantees that will limit their losses if they are breached, leading to a new market of cyber insurance policies. Given the hype around the threat of hacks, fueled by more than a little marketing-led FUD, it is understandable that many would look for solutions that could keep them protected.
Cyber insurance: What is it good for?
Cyber insurance is supposed to help companies deal with the aftermath of a breach and hopefully be better protected for the future.
In practice, this means helping to cover costs from the response to the attack, everything from providing a team of security experts to minimize the damage and do forensics, to the public relations that will work to keep your company from being pilloried in the press.
Then there are the expenses that can quickly spin up from harm done stemming from the theft of user data or the losses from machines rendered unusable and revenues decimated from downtime.
After all, a hack can be very expensive to clean up afterward. Just ask Maersk and FedEx after the NotPetya malware attacks in 2017, but more on that later.
Are you covered?
Unfortunately, it would seem that cyber insurance may not be the straightforward and comprehensive solution that companies may think it to be, and there are significant challenges that need to be considered before signing off on a policy.
For starters, there frankly is not yet enough data out there on the real costs involved in a data breach to help actuaries properly price their products. This is not only a problem for the insurers, who can find themselves pantsless in the event of an attack that hits multiple large enterprises and causes damages like we saw when NotPetya ran roughshod through global networks.
Insurers are backed by underwriters for their policies, who themselves may not know how to write policies that they can uphold. There are estimates that NotPetya ran up some $10 billion in damages, and it is unlikely that the insurance industry is truly prepared to pay out the true costs of a wider-reaching attack. Real preparation will require that they properly ascertain costs and charge clients realistic costs, even if they are significantly higher.
The next hurdle is that unlike other forms of risk for which companies can take standard practices to mitigate risk, thus hopefully reducing their premiums, information security best practices are still far from uniform across the globe. This is an important issue as a breach can occur on an outdated endpoint at some backwater branch of a multinational corporation and then quickly make its way to headquarters in New York, taking the entire entity offline.
Despite years of warnings, office staffs are still enabling macros on Word documents, making phishing attacks a continuing threat that can give hackers an easy point of entry onto a network. Perhaps if cyber insurers begin to offer incentives to organizations that educate their teams about better security hygiene and run regular red teaming to keep staff on their toes, then we may yet see a valuable improvement in preparedness across a wider range of companies.
Is this the way the cookie crumbles?
A recent example of cyber insurance falling short of expectations has been the recent story of food distribution giant Mondelez who announced in January that they are using the Zurich Insurance Group to the tune of $100 million over damages that they sustained during NotPetya. Their claim is that 1,700 servers and over 24,000 laptops were permanently damaged when the ransomware malware hit their network. The suit comes after Zurich rejected their claim for damages, citing the exclusionary clause for acts of war.
While it has been argued that Mondelez’s policy with Zurich was not specifically for cyber insurance, it has been reported that they should have been covered for “physical loss or damage to electronic data, programs, or software” as well as “the malicious introduction of a machine code or instruction.”
As such, it would seem somewhat absurd for the insurer to try and get out of making the payment, especially as it falls on them to prove attribution to the Russian government.
In the past, companies may have had an incentive to say that they were the victim of a state actor, perhaps as a way to inflate their own importance or make excuses for how attackers were able to break through their defenses. Now, they may actually have a reason to claim that it was criminal elements who are behind a breach if it means an easier path to receiving their payout from insurers.
Is cyber insurance worthy of the hype?
While every company needs to independently assess their own levels of risk, the short answer is probably not. Even as we can leave this case up to the courts to decide, it should give companies some pause before jumping on a cyber insurance package.
If Zurich wins, we will likely feel the ripples throughout this space as plenty of companies reexamine their investment in buying cyber insurance in favor of tools that may help them prevent the breach in the first place.
Clearly what is needed moving forward will be some combination of the two approaches, implementing tools and practices to prevent breaches and find threats within your network, followed up by measures like insurance that will make the aftermath less painful if an attack is successful.
For now, companies with policies should review their terms to gain a clear understanding of what exactly they have protection against and understand if their coverage is sufficient for their threat models. At the same time, they need to avoid rushing into buying expensive policies out of fear.