Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday February 18 2019, @08:36AM   Printer-friendly
from the GIMO:-Garbage-in-Money-out dept.

Picked via cryptogram, with the original here

...with reliance on all things digital skyrocketing, cyber threats now pose grave, even existential, dangers to corporations as well as the entire digital economy. In response, companies have begun to develop a cyber insurance market, offering corporations a mechanism to manage their exposure to these risks. Yet the prospects for this market now seem uncertain in light of a major court battle. Mondelez International is reportedly suing Zurich Insurance in Illinois state court for refusing to pay its $100 million claim for damages caused by the 2017 NotPetya attack.

Mondelez's claim represents just a fraction of the billions of dollars in collateral damage caused by NotPetya, a destructive, indiscriminate cyberattack of unprecedented scale, widely suspected to have been launched by Russia with the aim of hurting Ukraine and its business partners... According to reports, Zurich apparently rejected Mondelez's claim on the grounds that NotPetya was an act of war and, therefore, excluded from coverage under its policy agreement. If the question of whether and how war risk exemptions apply is left to the courts to decide on a case-by-case basis, this creates a profound source of uncertainty for policyholders about the coverage they obtain.
...
Many hurdles stand in the way of insurance providing a more robust solution. Data on cyber risks are scarce, and the threat is evolving constantly, often rendering data obsolete before they can be used. That means actuaries lack a credible repository of information to accurately price cyber risk. Moreover, NotPetya and other attacks with cascading effects have reinforced fears of aggregation risk, meaning the potential for a single incident to cause simultaneous losses across multiple policyholders. If Zurich had underwritten even a handful of the major corporations disrupted by the attack, it could have faced catastrophic losses from just one incident. This is a particularly acute concern for reinsurers—companies that provide stop-loss coverage, or protection against unsustainably costly claims, to other insurers—making both reinsurers and primary cyber insurance providers naturally hesitant to support more extensive cyber underwriting. The lack of adequate reinsurance backing means that carriers may become overwhelmed with claims if a systemic cyber incident causes simultaneous losses across many policyholders.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Runaway1956 on Monday February 18 2019, @10:00AM (1 child)

    by Runaway1956 (2926) Subscriber Badge on Monday February 18 2019, @10:00AM (#802880) Homepage Journal

    You nailed it with "too risky to insure". My point is, if the insurance company wrote the policy, and accepted payment, then the insurance company needs to pay off. It's not OUR fault that some insurance company failed to assess the risks.

    --
    Our first six presidents were educated men. Then, along came a Democrat.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 5, Interesting) by canopic jug on Monday February 18 2019, @10:21AM

    by canopic jug (3949) Subscriber Badge on Monday February 18 2019, @10:21AM (#802890) Journal

    The answer is that they're not allowed to properly assess the risks when it comes to deployed software. Remember almost 20 years ago when this kind of insurance was just starting to rear its head? The premiums for M$ products were much higher than for the better designed software.

    That's what looks like happened here with NotPetya [wired.com]. What we see is probably an extension of that, the M$ products are in practice "too risky to insure" but no one, and certainly no corporation, is allowed to say that directly. Thus they try to get out of paying a different way. The whine we hear in response is that no system is absolutely secure. Of course they aren't. However, there is a world of difference in levels of vulnerability and repercussions from eventual compromises. The result, all those years ago, was that insurers were forced not to price against M$ products and to find other ways to weasel out of paying.

    --
    Money is not free speech. Elections should not be auctions.