SoylentNews is people
SoylentNews
In Ukraine, a cyberattack can mean a freezing night without power. But in the United States, it often seems like just one more unavoidable hassle of modern life. People change a few passwords, maybe sign up for credit monitoring, and then go on with life. But for the organizations on the receiving end—Target, Equifax, the federal government’s Office of Personnel Management, just to name a few—a cyberattack can mean scrambling to get systems back on line, setting up response war rooms, and, of course, paying huge bills for missed orders or new equipment.
And US businesses may no longer be able to rely on insurance to cover their losses. In an era of unceasing cyberattacks, including cases of state-sponsored hacking, insurance companies are beginning to re-interpret an old line in their contracts known as the “war exclusion.” Stripping away the metaphorical connotation of the term “cyberwarfare,” big insurers like Zurich Insurance have decided that state-sponsored attacks are basically just plain warfare. This shift comes as the US government is increasingly attributing state-sponsored cyberattacks to their alleged perpetrators, a development that some argue is a means of holding bad actors accountable.
But the policy certainly doesn’t seem to be doing any favors to the private sector.
(Score: 2) by Snotnose on Monday April 29 2019, @02:31PM (20 children)
The only thing that will stop these attacks is ensuring the affected company pays through the nose. Not just in direct losses, but huge fines that directly impact the bottom line. Then the executives will pay attention and spend the $$$ needed for decent security.
Much as I'd like to say sending some CXXs to jail for attacks would help, all that would happen is some schmuck with no real control would end up taking the fall.
When the dust settled America realized it was saved by a porn star.
(Score: 5, Funny) by ikanreed on Monday April 29 2019, @03:03PM (1 child)
Even better is if, instead of making hotels put "no diving" signs around 4 foot deep wading pools, insurance companies made these shitty companies put "You'll be fucking robbed of everything you own if you sign up here" signs on their websites and rewards programs.
(Score: 3, Interesting) by JoeMerchant on Monday April 29 2019, @07:49PM
The problem is: the internet takes you (and every moron who never left their home county) to far-flung unregulated places instantly. If "civilized" countries force these scare warnings on websites, it will only be the least dangerous (most regulated) of commerce websites them that actually have them.
🌻🌻 [google.com]
(Score: 2) by Thexalon on Monday April 29 2019, @03:06PM (12 children)
No, I really don't think that's good.
If there's insurance involved, then the cost of lousy security is paid every period in premiums. This forces management to see the risks and creates a financial incentive for addressing them.
If there's no insurance involved, then the cost of lousy security is paid whenever the company rolls a 1 on the dice, and who knows when that will happen, so management will have every incentive to skimp on security to increase the short-term bottom line and then say there was nothing they could do and no way to predict a problem just because their own stupidity meant that they're trying to avoid a 1 on a d6 rather than a d100.
The obvious response to insurance companies:
1. If these are acts of war, who is the US at war with that's doing this? Somehow, I don't think it's the Taliban, the Houtis, or what's left of ISIL. If it's the Chinese or Russians, they're kinda of the US frenemies, not straight-up opponents. Heck, Congress hasn't declared war on anybody in decades.
2. *Prove* that it was those Evil Foreigners. You can't just say it to get out of paying your bill.
Most of the victims of this policy are big companies with armies of lawyers, who get to fight it out with big insurance companies and their armies of lawyers. Have fun, you two.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Runaway1956 on Monday April 29 2019, @03:43PM (7 children)
If there is insurance, then it is easy to pass the costs onto consumers.
(Score: -1, Troll) by Anonymous Coward on Monday April 29 2019, @04:53PM
Good thing we don't live in the Jewish Marxist era and are still in the capitalist era, where as I understand it, the curve of capitalist development that explains competition dwindling to a few locked-in, too big to fail oligarchies with no real competition, resulting in costs simply being passed on to customers (as opposed to innovation to reduce costs during early stage capitalism), followed by the rise of fascism, is just a fairy story that can't happen here.
(Score: 0) by Anonymous Coward on Monday April 29 2019, @06:01PM (3 children)
Good! That means they can be undercut and outcompeted by companies that actually have a clue what they're doing.
(Score: 4, Insightful) by deimtee on Tuesday April 30 2019, @12:55AM (2 children)
That would only happen if the insurance companies could accurately judge the quality of the companies' security. Since they can't they put up premiums across the board and everyone who pays for good security pays twice. It's sort of a tragedy of the commons effect. Unless you are certain enough of your security to forgo insurance, you may as well do the cheapest you can get away with and let the insurance company take the hit.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by Immerman on Tuesday April 30 2019, @01:47PM (1 child)
Really? I would think that a major insurance company easily has the budget to hire a few expert security people to periodically audit their customers' security practices to get a pretty good assessment of the actual risk.
It's not like incompetent security is difficult for an expert on the inside to recognize.
(Score: 2) by deimtee on Tuesday April 30 2019, @11:06PM
To: Mr CEO.
From: Lowly Insurance Agent
Re: Insurance for Information Systems.
If we spend a lot of money hiring the best cyber security experts there are, we will be able to judge how good companies' security is, and then we will be able to reduce premiums for those with good security.
...
To: Security
From CEO
LIA is fired. Block him from all data access and escort him from the building immediately.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by Thexalon on Monday April 29 2019, @09:12PM (1 child)
That's the status quo, though: Instead of the consumers paying the insurance costs, they pay the catastrophic costs when the company storing the data fouls up. About all they typically offer the consumers affected by a breach is some sort of limited-term identity protection insurance/monitoring, which just tells the bad guys to wait until the term is up before using that particular identity.
At least with insurance, the risk is priced in, and companies can compete on reducing the risk and thus reducing the insurance premium they pass along to the consumers.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Immerman on Tuesday April 30 2019, @01:49PM
> About all they typically offer the consumers affected by a breach is some sort of limited-term identity protection insurance/monitoring, which just tells the bad guys to wait until the term is up before using that particular identity.
Indeed. Which suggests perhaps we should re-evaluate the level of liability that corporations are held to in such cases.
(Score: 2) by Pino P on Monday April 29 2019, @05:53PM
For example, the United States, Great Britain, and Australia have jointly blamed WannaCry on the Democratic People's Republic of [North] Korea. And yes, there's proof that North Koreans were involved [zdnet.com].
A Congressional authorization for use of military force constitutes declaration of war. Some pundits distinguish AUMF bills that include "declaration of war" in the title from other AUMF bills that do not, but this is a distinction without a difference. Doe v. Bush, 323 F.3d 133 (1st Cir. 2003) [wikipedia.org].
(Score: 2) by sjames on Monday April 29 2019, @07:02PM (2 children)
Picture if you will, a battle scene from Braveheart, only they're all wearing suits and bashing each other over the head with legal briefs. And that's not blood, it's red ink.
(Score: 4, Funny) by krishnoid on Monday April 29 2019, @07:54PM
I will not. I will, however, pitch in to a crowdsourcing campaign targeted at producing a video of a reenactment/animation of this.
(Score: 2) by cmdrklarg on Monday April 29 2019, @09:28PM
https://www.youtube.com/watch?v=aSO9OFJNMBA [youtube.com]
The world is full of kings and queens who blind your eyes and steal your dreams.
(Score: 2) by richtopia on Monday April 29 2019, @03:39PM (1 child)
It has to be a little column A, little column B. All insurance should be this way. The merchant needs to take appropriate steps to secure their systems; perhaps by following best practices and being audited they can have a reduction in their insurance premiums. But insurance should still exist to protect against catastrophic failure. If we are talking about state sponsored hackers here, they have the resources and expertize to compromise almost any system in the world.
(Score: 3, Insightful) by Dr Spin on Monday April 29 2019, @05:28PM
they have the resources and expertize to compromise almost any system in the world.
The fact that most passwords seem to begin "12345" means the level of expertise required is barely more than that
required to actually spell " expertise".
Warning: Opening your mouth may invalidate your brain!
(Score: 1, Interesting) by Anonymous Coward on Monday April 29 2019, @06:58PM
Maybe not. Many companies are ran by type-A hyper-competitive thinkers who willingly gamble to get a short-term edge. Such gambling may include accepting the risk of bankruptcy.
(Score: 3, Informative) by JoeMerchant on Monday April 29 2019, @07:52PM
Why so cynic... oh [theverge.com].
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Monday April 29 2019, @11:22PM
I'm not so sure. Make it a legal requirement for any corporation to list their executives who are responsible and liable in the case of a data breach. All quarterly filings would be required to include this information.
Carelessness, recklessness and negligence should be punished in corporate America. Jail the executives, fine them for all they're worth, and put their families on the streets.
(Score: 5, Informative) by JoeMerchant on Monday April 29 2019, @02:44PM
Insurers Balk At Paying... full stop. Keeping premiums low and profits high, that's most of their job.
Cyberattacks are new, different, weird, and the expenses attributed to them can be more wildly inflated than a pain and suffering claim. Of course they're going to push back.
Look for specifically worded "cyber-riders" to start appearing, just like coastal flooding, windstorm, and anything else that has the potential to cost the industry tens of billions per event. Insurance isn't good at handling broad-scale simultaneous failure, it's much better at individual events like car crashes and simple traditional robberies.
🌻🌻 [google.com]
(Score: 4, Interesting) by All Your Lawn Are Belong To Us on Monday April 29 2019, @03:50PM (2 children)
There already are cyberattack damage riders to business interruption. I know, we pay for one and have for some years now. We made sure of its specifications such that this is not an issue.
Anyone who buys business insurance should be made aware of this sort of thing, and if your broker hasn't run that down with you then you need a new broker. (Wouldn't it be nice if the broker could be sued for malpractice for not informing one of such things?)
And since the article makes no reference to cyberattack riders as far as I can tell, that is a tell how accurate the Bulletin of Atomic Scientists is in disucssing matters of business. (Not that I don't like them, I do, but maybe they should stick to things about Atomic Science???)
This sig for rent.
(Score: 1, Interesting) by Anonymous Coward on Monday April 29 2019, @07:00PM (1 child)
It's possible the contract is an older contract with a built-in stipulation to periodically renew as-is. Changing the terms of the contract may have cost them more.
(Score: 2) by All Your Lawn Are Belong To Us on Monday April 29 2019, @08:26PM
+1 Interesting. Yes, changing the terms of the contract always costs more. ;) The only thing that costs more than that is just blindly letting things just roll as they are without thought. :D
We pay more to have that rider on our contract. That's why insurers went to the trouble of introducing those products - to segregate and minimize their own risks. That's what insurance does, and why each person and entity has to choose their coverage (including none at all if that's how one rolls).
One also need not talk to a broker at renewals time but cut a check. If one is a small enough business (as others here pointed out to me on similar topics) one might not have the resources to add the coverage or obtain competent advice. On the other hand the broker makes their book by getting your business and so it is in the agent's interest to actually service your account and it makes sense for the business person to get that person's advice. I don't talk to our agents but I'm well aware that the people who do here make it a point every year to ask them what has changed and what the best plan is for the coming year - but we're likely just large enough to command that kind of attention for the asking. I think Target, Equifax, and OPM are a little bigger than us, though, and we know the score there, so.....
This sig for rent.
(Score: 3, Interesting) by Bot on Monday April 29 2019, @04:19PM
Corollary of "Insurers balk at paying."
Account abandoned.
(Score: 1, Interesting) by Anonymous Coward on Monday April 29 2019, @04:52PM
Reminds me of "If you think education is expensive, try ignorance!"
(Score: 0) by Anonymous Coward on Tuesday April 30 2019, @04:26AM
In Ukraine. In Ukraine they give you colored revolutions and murder people in the streets under the guidance of (((George Soros))).
State-sponsored attacks are mostly carried out by the U.S and their lapdog U.K etc.
They fight a one-sided war against non-nuclear armed nations without declaring war. And they can harm and destroy anyone's infrastructure with the click of a button.
So insurance companies can and should wage war against special interest groups hiding locally among the sheep.
(Score: 2) by Nobuddy on Tuesday April 30 2019, @01:12PM
I work cybersecurity. These companies make calculated decisions based on net cost. If it costs $X to secure, and $Y to insure, if X>Y, then they do not secure. The cost of insurance is rising, and now insurance has started being picky. More companies will chose to secure instead of insure.
The insurance should not be covering a lot of these big ones. The lack of security was blatant. I view them as a fire inspector would view gross negligence bordering on arson. They knew they were insecure and chose to do nothing about it.