In Ukraine, a cyberattack can mean a freezing night without power. But in the United States, it often seems like just one more unavoidable hassle of modern life. People change a few passwords, maybe sign up for credit monitoring, and then go on with life. But for the organizations on the receiving end—Target, Equifax, the federal government’s Office of Personnel Management, just to name a few—a cyberattack can mean scrambling to get systems back on line, setting up response war rooms, and, of course, paying huge bills for missed orders or new equipment.
And US businesses may no longer be able to rely on insurance to cover their losses. In an era of unceasing cyberattacks, including cases of state-sponsored hacking, insurance companies are beginning to re-interpret an old line in their contracts known as the “war exclusion.” Stripping away the metaphorical connotation of the term “cyberwarfare,” big insurers like Zurich Insurance have decided that state-sponsored attacks are basically just plain warfare. This shift comes as the US government is increasingly attributing state-sponsored cyberattacks to their alleged perpetrators, a development that some argue is a means of holding bad actors accountable.
But the policy certainly doesn’t seem to be doing any favors to the private sector.
(Score: 2) by Snotnose on Monday April 29, @02:31PM (4 children)
The only thing that will stop these attacks is ensuring the affected company pays through the nose. Not just in direct losses, but huge fines that directly impact the bottom line. Then the executives will pay attention and spend the $$$ needed for decent security.
Much as I'd like to say sending some CXXs to jail for attacks would help, all that would happen is some schmuck with no real control would end up taking the fall.
(Score: 2) by ikanreed on Monday April 29, @03:03PM
Even better is if, instead of making hotels put "no diving" signs around 4 foot deep wading pools, insurance companies made these shitty companies put "You'll be fucking robbed of everything you own if you sign up here" signs on their websites and rewards programs.
(Score: 2) by Thexalon on Monday April 29, @03:06PM (1 child)
No, I really don't think that's good.
If there's insurance involved, then the cost of lousy security is paid every period in premiums. This forces management to see the risks and creates a financial incentive for addressing them.
If there's no insurance involved, then the cost of lousy security is paid whenever the company rolls a 1 on the dice, and who knows when that will happen, so management will have every incentive to skimp on security to increase the short-term bottom line and then say there was nothing they could do and no way to predict a problem just because their own stupidity meant that they're trying to avoid a 1 on a d6 rather than a d100.
The obvious response to insurance companies:
1. If these are acts of war, who is the US at war with that's doing this? Somehow, I don't think it's the Taliban, the Houtis, or what's left of ISIL. If it's the Chinese or Russians, they're kinda of the US frenemies, not straight-up opponents. Heck, Congress hasn't declared war on anybody in decades.
2. *Prove* that it was those Evil Foreigners. You can't just say it to get out of paying your bill.
Most of the victims of this policy are big companies with armies of lawyers, who get to fight it out with big insurance companies and their armies of lawyers. Have fun, you two.
(Score: 2) by Runaway1956 on Monday April 29, @03:43PM
If there is insurance, then it is easy to pass the costs onto consumers.
(Score: 2) by richtopia on Monday April 29, @03:39PM
It has to be a little column A, little column B. All insurance should be this way. The merchant needs to take appropriate steps to secure their systems; perhaps by following best practices and being audited they can have a reduction in their insurance premiums. But insurance should still exist to protect against catastrophic failure. If we are talking about state sponsored hackers here, they have the resources and expertize to compromise almost any system in the world.
(Score: 4, Informative) by JoeMerchant on Monday April 29, @02:44PM
Insurers Balk At Paying... full stop. Keeping premiums low and profits high, that's most of their job.
Cyberattacks are new, different, weird, and the expenses attributed to them can be more wildly inflated than a pain and suffering claim. Of course they're going to push back.
Look for specifically worded "cyber-riders" to start appearing, just like coastal flooding, windstorm, and anything else that has the potential to cost the industry tens of billions per event. Insurance isn't good at handling broad-scale simultaneous failure, it's much better at individual events like car crashes and simple traditional robberies.
(Score: 2) by All Your Lawn Are Belong To Us on Monday April 29, @03:50PM
There already are cyberattack damage riders to business interruption. I know, we pay for one and have for some years now. We made sure of its specifications such that this is not an issue.
Anyone who buys business insurance should be made aware of this sort of thing, and if your broker hasn't run that down with you then you need a new broker. (Wouldn't it be nice if the broker could be sued for malpractice for not informing one of such things?)
And since the article makes no reference to cyberattack riders as far as I can tell, that is a tell how accurate the Bulletin of Atomic Scientists is in disucssing matters of business. (Not that I don't like them, I do, but maybe they should stick to things about Atomic Science???)
