With the lines increasingly blurred between whether a cyber attack is “state sponsored” or just a malicious group of individuals, we’re likely going to see more denials of claims.
I recently wrote about how the U.S. Government was warning critical infrastructure organizations against Russian State-Sponsored attacks. I’ve also covered how Ukraine is under cyberattack by a cybercriminal group thought to be sponsored by the Russian government. Whether a cyberattack is a clear-cut case of a foreign government meddling in our affairs, or includes some “dotted lines” between attacker and government backer, cyber insurers may leverage this as a means to not pay an insurance claim.
That’s not to say they’re bad people at the insurance company; it’s just that their policies usually include verbiage that excludes from coverage any “hostile or warlike action from any nation-state or their agency.” And if your organization agrees to the policy, you’re agreeing that should a nation-state be behind an attack, your cyber insurance policy isn’t worth the proverbial paper it’s (not actually) printed on.
We saw this in the courts back with NotPetya – insurer Zurich would cover the $100 million claim by Mondelez, and insurer Hiscox wouldn’t cover DLA Piper’s claim in the millions. This blog post has a link to a WSJ article with current court cases related to this
I believe the place for cyber insurance is for very specific cyberattack scenarios – ones where your organization has carefully identified a gap in your strategy where an insurance policy is a compensating control as a last resort.
One such gap I commonly see is securing the user. You have the perimeter, email systems, endpoints, the network, and more all protected with security solutions. And yet phishing emails still make their way to the Inbox.
You need to include the user – via Security Awareness Training – in your security stance. Just like you can spot a fake email a mile away, users that undergo continual training learn to do the same, helping to reduce the threat surface – and, therefore, the likelihood that an attack will be successful.