SoylentNews is people
SoylentNews
In Ukraine, a cyberattack can mean a freezing night without power. But in the United States, it often seems like just one more unavoidable hassle of modern life. People change a few passwords, maybe sign up for credit monitoring, and then go on with life. But for the organizations on the receiving end—Target, Equifax, the federal government’s Office of Personnel Management, just to name a few—a cyberattack can mean scrambling to get systems back on line, setting up response war rooms, and, of course, paying huge bills for missed orders or new equipment.
And US businesses may no longer be able to rely on insurance to cover their losses. In an era of unceasing cyberattacks, including cases of state-sponsored hacking, insurance companies are beginning to re-interpret an old line in their contracts known as the “war exclusion.” Stripping away the metaphorical connotation of the term “cyberwarfare,” big insurers like Zurich Insurance have decided that state-sponsored attacks are basically just plain warfare. This shift comes as the US government is increasingly attributing state-sponsored cyberattacks to their alleged perpetrators, a development that some argue is a means of holding bad actors accountable.
But the policy certainly doesn’t seem to be doing any favors to the private sector.
(Score: 2) by Snotnose on Monday April 29 2019, @02:31PM (20 children)
The only thing that will stop these attacks is ensuring the affected company pays through the nose. Not just in direct losses, but huge fines that directly impact the bottom line. Then the executives will pay attention and spend the $$$ needed for decent security.
Much as I'd like to say sending some CXXs to jail for attacks would help, all that would happen is some schmuck with no real control would end up taking the fall.
When the dust settled America realized it was saved by a porn star.
(Score: 5, Funny) by ikanreed on Monday April 29 2019, @03:03PM (1 child)
Even better is if, instead of making hotels put "no diving" signs around 4 foot deep wading pools, insurance companies made these shitty companies put "You'll be fucking robbed of everything you own if you sign up here" signs on their websites and rewards programs.
(Score: 3, Interesting) by JoeMerchant on Monday April 29 2019, @07:49PM
The problem is: the internet takes you (and every moron who never left their home county) to far-flung unregulated places instantly. If "civilized" countries force these scare warnings on websites, it will only be the least dangerous (most regulated) of commerce websites them that actually have them.
🌻🌻 [google.com]
(Score: 2) by Thexalon on Monday April 29 2019, @03:06PM (12 children)
No, I really don't think that's good.
If there's insurance involved, then the cost of lousy security is paid every period in premiums. This forces management to see the risks and creates a financial incentive for addressing them.
If there's no insurance involved, then the cost of lousy security is paid whenever the company rolls a 1 on the dice, and who knows when that will happen, so management will have every incentive to skimp on security to increase the short-term bottom line and then say there was nothing they could do and no way to predict a problem just because their own stupidity meant that they're trying to avoid a 1 on a d6 rather than a d100.
The obvious response to insurance companies:
1. If these are acts of war, who is the US at war with that's doing this? Somehow, I don't think it's the Taliban, the Houtis, or what's left of ISIL. If it's the Chinese or Russians, they're kinda of the US frenemies, not straight-up opponents. Heck, Congress hasn't declared war on anybody in decades.
2. *Prove* that it was those Evil Foreigners. You can't just say it to get out of paying your bill.
Most of the victims of this policy are big companies with armies of lawyers, who get to fight it out with big insurance companies and their armies of lawyers. Have fun, you two.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Runaway1956 on Monday April 29 2019, @03:43PM (7 children)
If there is insurance, then it is easy to pass the costs onto consumers.
(Score: -1, Troll) by Anonymous Coward on Monday April 29 2019, @04:53PM
Good thing we don't live in the Jewish Marxist era and are still in the capitalist era, where as I understand it, the curve of capitalist development that explains competition dwindling to a few locked-in, too big to fail oligarchies with no real competition, resulting in costs simply being passed on to customers (as opposed to innovation to reduce costs during early stage capitalism), followed by the rise of fascism, is just a fairy story that can't happen here.
(Score: 0) by Anonymous Coward on Monday April 29 2019, @06:01PM (3 children)
Good! That means they can be undercut and outcompeted by companies that actually have a clue what they're doing.
(Score: 4, Insightful) by deimtee on Tuesday April 30 2019, @12:55AM (2 children)
That would only happen if the insurance companies could accurately judge the quality of the companies' security. Since they can't they put up premiums across the board and everyone who pays for good security pays twice. It's sort of a tragedy of the commons effect. Unless you are certain enough of your security to forgo insurance, you may as well do the cheapest you can get away with and let the insurance company take the hit.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by Immerman on Tuesday April 30 2019, @01:47PM (1 child)
Really? I would think that a major insurance company easily has the budget to hire a few expert security people to periodically audit their customers' security practices to get a pretty good assessment of the actual risk.
It's not like incompetent security is difficult for an expert on the inside to recognize.
(Score: 2) by deimtee on Tuesday April 30 2019, @11:06PM
To: Mr CEO.
From: Lowly Insurance Agent
Re: Insurance for Information Systems.
If we spend a lot of money hiring the best cyber security experts there are, we will be able to judge how good companies' security is, and then we will be able to reduce premiums for those with good security.
...
To: Security
From CEO
LIA is fired. Block him from all data access and escort him from the building immediately.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by Thexalon on Monday April 29 2019, @09:12PM (1 child)
That's the status quo, though: Instead of the consumers paying the insurance costs, they pay the catastrophic costs when the company storing the data fouls up. About all they typically offer the consumers affected by a breach is some sort of limited-term identity protection insurance/monitoring, which just tells the bad guys to wait until the term is up before using that particular identity.
At least with insurance, the risk is priced in, and companies can compete on reducing the risk and thus reducing the insurance premium they pass along to the consumers.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Immerman on Tuesday April 30 2019, @01:49PM
> About all they typically offer the consumers affected by a breach is some sort of limited-term identity protection insurance/monitoring, which just tells the bad guys to wait until the term is up before using that particular identity.
Indeed. Which suggests perhaps we should re-evaluate the level of liability that corporations are held to in such cases.
(Score: 2) by Pino P on Monday April 29 2019, @05:53PM
For example, the United States, Great Britain, and Australia have jointly blamed WannaCry on the Democratic People's Republic of [North] Korea. And yes, there's proof that North Koreans were involved [zdnet.com].
A Congressional authorization for use of military force constitutes declaration of war. Some pundits distinguish AUMF bills that include "declaration of war" in the title from other AUMF bills that do not, but this is a distinction without a difference. Doe v. Bush, 323 F.3d 133 (1st Cir. 2003) [wikipedia.org].
(Score: 2) by sjames on Monday April 29 2019, @07:02PM (2 children)
Picture if you will, a battle scene from Braveheart, only they're all wearing suits and bashing each other over the head with legal briefs. And that's not blood, it's red ink.
(Score: 4, Funny) by krishnoid on Monday April 29 2019, @07:54PM
I will not. I will, however, pitch in to a crowdsourcing campaign targeted at producing a video of a reenactment/animation of this.
(Score: 2) by cmdrklarg on Monday April 29 2019, @09:28PM
https://www.youtube.com/watch?v=aSO9OFJNMBA [youtube.com]
The world is full of kings and queens who blind your eyes and steal your dreams.
(Score: 2) by richtopia on Monday April 29 2019, @03:39PM (1 child)
It has to be a little column A, little column B. All insurance should be this way. The merchant needs to take appropriate steps to secure their systems; perhaps by following best practices and being audited they can have a reduction in their insurance premiums. But insurance should still exist to protect against catastrophic failure. If we are talking about state sponsored hackers here, they have the resources and expertize to compromise almost any system in the world.
(Score: 3, Insightful) by Dr Spin on Monday April 29 2019, @05:28PM
they have the resources and expertize to compromise almost any system in the world.
The fact that most passwords seem to begin "12345" means the level of expertise required is barely more than that
required to actually spell " expertise".
Warning: Opening your mouth may invalidate your brain!
(Score: 1, Interesting) by Anonymous Coward on Monday April 29 2019, @06:58PM
Maybe not. Many companies are ran by type-A hyper-competitive thinkers who willingly gamble to get a short-term edge. Such gambling may include accepting the risk of bankruptcy.
(Score: 3, Informative) by JoeMerchant on Monday April 29 2019, @07:52PM
Why so cynic... oh [theverge.com].
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Monday April 29 2019, @11:22PM
I'm not so sure. Make it a legal requirement for any corporation to list their executives who are responsible and liable in the case of a data breach. All quarterly filings would be required to include this information.
Carelessness, recklessness and negligence should be punished in corporate America. Jail the executives, fine them for all they're worth, and put their families on the streets.