Dr Mike Lloyd, CTO at RedSeal
How can you tell that cyber insurance is a hot topic today? When lawyers find the amounts of money involved worth fighting over. Major cases are emerging of serious disputes between multi-nationals and the companies they’ve taken out policies with to help mitigate their risk exposure. On the one hand, this is partly to be expected of such a nascent sector. Yet it may also be a sign of a deeper problem: a lack of visibility into which security controls and policies actually reduce risk and therefore need to be mandated as part of a policy. After all, in health care, we know precisely how bad smoking is, and this helps make the insurance market far more effective. We lack a quantified science of how much an organization will lose if they fail to follow any given security hygiene practice.
This is where digital resilience scores can help insurers draw up tighter contracts and reduce the chances of costly legal disputes down the line.
Insurance for everyone
A decade ago, most firms effectively self-insured for any cybersecurity losses. The attitude was that online threats could be pretty easily handled by setting aside a “rainy day fund” to deal with the fall-out of a major incident. Unfortunately, this approach is no longer sustainable at a time when the sheer volume and variety of cyber threats facing organizations has never been greater.
One vendor detected over 48 billion threats in 2018 alone and has been recording 10’s of billions of issues for several years now — an indication of the growing number of covert, targeted attacks. From BEC to phishing, credential stuffing to digital skimming attacks and IoT sabotage to ransomware, the black hats have a huge list of tools and techniques at their disposal, supported by a thriving underground economy.
The financial impact of such threats is growing rapidly. Not only must organizations fork out for remediation, clean-up and investigation of a successful attack, they could be hit by major new regulatory fines under legislation such as the GDPR. Then there’s the impact on corporate reputation which may also affect the bottom line: think tumbling share prices or customer attrition. Legal costs are also increasingly common as consumers band together to launch class action suits.
One report estimates the average cost of a data breach to be nearly $3.9m, which easily reaches the level where boards want to know that they have appropriate insurance coverage. Last year, Lloyds of London released a report estimating that a serious cyber attack on one of the top three global cloud providers could lead to outages costing US firms $19bn. Earlier this year another report claimed a global ransomware attack could cause losses of $200bn. It’s this concern about correlated losses that really holds back insurers, and leaves companies scrambling to stack up dozens of insurance products to give themselves enough coverage.
A brave new world
In an era where no organization is safe, cyber insurance has therefore become hugely popular as a way to transfer risk. An analyst report from last year claimed three-quarters (76%) of global organizations have some form of insurance in place to cover cyber-related losses, although far fewer (around half) had “comprehensive” coverage.
Yet as insurance coverage increases, so do legal disputes. Back in January it emerged that confectionary giant Mondelez was suing Zurich Insurance for failing to pay out following the infamous NotPetya ransomware attack of June 2017. The $100m lawsuit was launched after the insurer invoked an exclusion for any attacks resulting from “hostile or warlike action in time of peace or war.” Although governments including the UK and US have publicly attributed NotPetya to Russia, they have released no evidence to support this, which could make it difficult for Zurich to prove its case. War exclusions are commonplace, but seldom invoked, because most industrial or commercial claims aren’t war related. They exist precisely because of the correlated nature of losses in wars – too many people all claim at once, because we all get bombed together. Is this an appropriate mechanism for cyber warfare? It’s going to be interesting to see how this evolves.
Another major area of dispute in cyber insurance lies with exactly what should be required of companies before they can sign up to a policy and subsequently claim. It recently emerged that law firm DLA Piper is also in dispute with its insurer over a NotPetya-related payout, although this time not over any act of war exclusion. Interestingly, it has been reported that the firm was crippled globally by the ransomware worm because its network structure was too flat. Although the firm is now segmenting those networks, there is a case for arguing it should have been made clear by its insurer right from the start that this security failure would have invalidated cover for such an attack. Perhaps it was — we will no doubt find out in time.
Focus on resilience scoring
The problem for insurers is that they’re used to dealing with underwriting physical things like houses or cars. Cyber risk is more nebulous and harder to define. Yet it is important they do so in order to produce more accurate, watertight policies with less risk of dispute in the future. With third-party risk scoring tools they can take a “virtual x-ray” of a client network to see how resilient it is to cyber-threats. They can then assess whether a company is ready to sign up to a specific policy and/or attach various preconditions to it. In this way, a lack of adequate security processes and controls could increaser premiums or invalidate a policy altogether, for example. However, this only works if the risk measurement is really a view inside the organization, not just an outside view. Some insurers have turned to external scan techniques, but this is similar to giving a doctor a selfie the patient took rather than an x-ray.
In the case of DLA Piper, the policy itself wasn’t even a specific cyber-insurance contract but something more general. A seemingly similar dispute between a Virginian bank and Everest Insurance hinges on whether the former was covered under a separate rider for computer crimes. This is another sign of the relative immaturity of the sector.
Both sides could do better: insurers should work towards reducing the ambiguity of small print policy details, using reliable third-party risk scoring to help them draw up better policies and conduct more effective due diligence. But companies also need to be more transparent about their cybersecurity posture, and realistic about how far coverage can reach. If a firm bolts its digital front door but then leaves all the windows open, it should be in no doubt that any policy claims will be invalidated.
Much of the current churn is only good news for the lawyers. But in time, the rulings from these disputes should provide more legal clarity over who is liable for what. All parties have a reason to want insurers to improve their assessment of cyber risk: it will make the underwriters more competitive and profitable, and force their clients to improve baseline security across the board.