SoylentNews is people
SoylentNews
In Ukraine, a cyberattack can mean a freezing night without power. But in the United States, it often seems like just one more unavoidable hassle of modern life. People change a few passwords, maybe sign up for credit monitoring, and then go on with life. But for the organizations on the receiving end—Target, Equifax, the federal government’s Office of Personnel Management, just to name a few—a cyberattack can mean scrambling to get systems back on line, setting up response war rooms, and, of course, paying huge bills for missed orders or new equipment.
And US businesses may no longer be able to rely on insurance to cover their losses. In an era of unceasing cyberattacks, including cases of state-sponsored hacking, insurance companies are beginning to re-interpret an old line in their contracts known as the “war exclusion.” Stripping away the metaphorical connotation of the term “cyberwarfare,” big insurers like Zurich Insurance have decided that state-sponsored attacks are basically just plain warfare. This shift comes as the US government is increasingly attributing state-sponsored cyberattacks to their alleged perpetrators, a development that some argue is a means of holding bad actors accountable.
But the policy certainly doesn’t seem to be doing any favors to the private sector.
(Score: 2) by Thexalon on Monday April 29 2019, @03:06PM (12 children)
No, I really don't think that's good.
If there's insurance involved, then the cost of lousy security is paid every period in premiums. This forces management to see the risks and creates a financial incentive for addressing them.
If there's no insurance involved, then the cost of lousy security is paid whenever the company rolls a 1 on the dice, and who knows when that will happen, so management will have every incentive to skimp on security to increase the short-term bottom line and then say there was nothing they could do and no way to predict a problem just because their own stupidity meant that they're trying to avoid a 1 on a d6 rather than a d100.
The obvious response to insurance companies:
1. If these are acts of war, who is the US at war with that's doing this? Somehow, I don't think it's the Taliban, the Houtis, or what's left of ISIL. If it's the Chinese or Russians, they're kinda of the US frenemies, not straight-up opponents. Heck, Congress hasn't declared war on anybody in decades.
2. *Prove* that it was those Evil Foreigners. You can't just say it to get out of paying your bill.
Most of the victims of this policy are big companies with armies of lawyers, who get to fight it out with big insurance companies and their armies of lawyers. Have fun, you two.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Runaway1956 on Monday April 29 2019, @03:43PM (7 children)
If there is insurance, then it is easy to pass the costs onto consumers.
(Score: -1, Troll) by Anonymous Coward on Monday April 29 2019, @04:53PM
Good thing we don't live in the Jewish Marxist era and are still in the capitalist era, where as I understand it, the curve of capitalist development that explains competition dwindling to a few locked-in, too big to fail oligarchies with no real competition, resulting in costs simply being passed on to customers (as opposed to innovation to reduce costs during early stage capitalism), followed by the rise of fascism, is just a fairy story that can't happen here.
(Score: 0) by Anonymous Coward on Monday April 29 2019, @06:01PM (3 children)
Good! That means they can be undercut and outcompeted by companies that actually have a clue what they're doing.
(Score: 4, Insightful) by deimtee on Tuesday April 30 2019, @12:55AM (2 children)
That would only happen if the insurance companies could accurately judge the quality of the companies' security. Since they can't they put up premiums across the board and everyone who pays for good security pays twice. It's sort of a tragedy of the commons effect. Unless you are certain enough of your security to forgo insurance, you may as well do the cheapest you can get away with and let the insurance company take the hit.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by Immerman on Tuesday April 30 2019, @01:47PM (1 child)
Really? I would think that a major insurance company easily has the budget to hire a few expert security people to periodically audit their customers' security practices to get a pretty good assessment of the actual risk.
It's not like incompetent security is difficult for an expert on the inside to recognize.
(Score: 2) by deimtee on Tuesday April 30 2019, @11:06PM
To: Mr CEO.
From: Lowly Insurance Agent
Re: Insurance for Information Systems.
If we spend a lot of money hiring the best cyber security experts there are, we will be able to judge how good companies' security is, and then we will be able to reduce premiums for those with good security.
...
To: Security
From CEO
LIA is fired. Block him from all data access and escort him from the building immediately.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by Thexalon on Monday April 29 2019, @09:12PM (1 child)
That's the status quo, though: Instead of the consumers paying the insurance costs, they pay the catastrophic costs when the company storing the data fouls up. About all they typically offer the consumers affected by a breach is some sort of limited-term identity protection insurance/monitoring, which just tells the bad guys to wait until the term is up before using that particular identity.
At least with insurance, the risk is priced in, and companies can compete on reducing the risk and thus reducing the insurance premium they pass along to the consumers.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Immerman on Tuesday April 30 2019, @01:49PM
> About all they typically offer the consumers affected by a breach is some sort of limited-term identity protection insurance/monitoring, which just tells the bad guys to wait until the term is up before using that particular identity.
Indeed. Which suggests perhaps we should re-evaluate the level of liability that corporations are held to in such cases.
(Score: 2) by Pino P on Monday April 29 2019, @05:53PM
For example, the United States, Great Britain, and Australia have jointly blamed WannaCry on the Democratic People's Republic of [North] Korea. And yes, there's proof that North Koreans were involved [zdnet.com].
A Congressional authorization for use of military force constitutes declaration of war. Some pundits distinguish AUMF bills that include "declaration of war" in the title from other AUMF bills that do not, but this is a distinction without a difference. Doe v. Bush, 323 F.3d 133 (1st Cir. 2003) [wikipedia.org].
(Score: 2) by sjames on Monday April 29 2019, @07:02PM (2 children)
Picture if you will, a battle scene from Braveheart, only they're all wearing suits and bashing each other over the head with legal briefs. And that's not blood, it's red ink.
(Score: 4, Funny) by krishnoid on Monday April 29 2019, @07:54PM
I will not. I will, however, pitch in to a crowdsourcing campaign targeted at producing a video of a reenactment/animation of this.
(Score: 2) by cmdrklarg on Monday April 29 2019, @09:28PM
https://www.youtube.com/watch?v=aSO9OFJNMBA [youtube.com]
The world is full of kings and queens who blind your eyes and steal your dreams.