When hackers attack, is cyber-insurance enough?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.securityinfowatch.com/news/11818700/when-hackers-attack-is-cyber-insurance-enough

The November attack on Sony Pictures Entertainment drew around-the-clock
media attention, but far from Hollywood's studio lights is a growing legal
debate in the starchy insurance industry about whether most cyber-policies
cover such a breach.

The U.S. government blames North Korea for the attack on Sony. If true, the
data heist could be in a major gray area between cyber risk and terrorism.

Cyber insurance policies tend to have vague or ambiguous language regarding
acts of war or terrorism. A claim resulting from an attack by North Korea,
or a self-proclaimed Islamic caliphate, would likely result in a legal
battle over whether such a cyber risk is covered.

The first test cases have yet to make their way through the court system,
but there's little doubt they're coming soon.

In the insurance industry, the Sony case sounds an alarm about a new source
of risks to cybersecurity. Instead of criminals looking for credit card
numbers -- like the data breaches that cost tens of millions of dollars
last year for The Home Depot and Target Corp. -- terrorists and foreign
governments are hacking computer systems for ideological or political
motives.

The concept is new at a time when cyber coverage is still in its early
stages.

"This is like insuring aircraft in 1915 -- there's a lot more that we don't
than we do know at this point," said Robert Hartwig, an economist and
president of the Insurance Information Institute, an insurer-funded
research organization. "And I think part of this involves developing
expertise, developing databases that help us understand the nature of these
attacks."

Insurers have kept pace with the rapid changes in technological risks since
cyber insurance established critical mass in 2005, said Robert Parisi,
national cyber risk product leader for the insurance brokerage Marsh.

But they've proceeded cautiously.

The broad language some insurers use in excluding certain risks is likely
to lead to ambiguity that requires either arbitration or a legal fight. For
example, some policies have exclusions for an "act-of-war" or "warlike
activity."

"I could see where, at some point, that's where the coverage may start to
get stressed, but, at the moment, at least our position here is that war is
one nation declaring war legally and formally against another," Parisi
said. "Absent of that, we don't even begin to discuss the exclusion."

Some cases of cyberterrorism are a far cry from one nation formally
declaring war on another, but may still lead to a dispute about insurance
coverage.

"In recent years, we have seen attacks from hacktivist groups, such as
Lulszec and Anonymous, and it is believed that the U.S. Government has
classified these hacktivist groups as terrorist organizations," insurance
broker Christine Marciano and attorney Paul Ferrillo of Weil, Gotshal &
Manges LLP, wrote in November for the Harvard Law School Forum on Corporate
Governance and Financial Regulation.

"This can further complicate cyber insurance claims, which can be denied in
the event such hacktivist groups are classified as terrorist organizations,
and are identified as the cause of your company's cyber attack or data
breach," Marciano and Ferrillo wrote.

In a phone interview, Marciano said language in most policies is very vague
at this point. Some policies are clearly defined, but the definitions of a
terrorist or an act-of-war are likely to be challenged when a business
files a claim, she said.

Large businesses have the advantage of employing brokers, attorneys and
risk managers to negotiate insurance-policy terms and minimize gaps in
coverage. But small and mid-size businesses are more likely to buy off --
the-shelf coverage. And exclusions in those off-the-shelf policies for
damage caused by terrorism and war is a huge concern, Marciano said.

"Sony really rocked the boat with most cyber carriers not even thinking
about something like that," said Marciano, president of Cyber Data Risk
Managers, a brokerage specializing in cyber insurance in Princeton, N.J.

Evolving Cyber Policies

So, if cyber insurance doesn't necessarily cover damage caused by
terrorists, or acts of war, would terrorism insurance do the job?

The short answer is that terrorism-insurance policies aren't designed to
protect against the types of losses that would result from a cyber attack.

Terrorism policies are generally written to include property damage and
loss of life -- the type of damage caused by an explosion, or other
standard examples of terrorism, said Hartwig, president of the Insurance
Information Institute. Generally speaking, terrorism policies might also
cover workers' compensation; directors' and officers' liability; aviation;
marine.

Cyber policies were designed to match specific risks, which are outside the
scope of terrorism insurance.

Standard cyber policies could include coverage for customer-notification
expenses; credit monitoring and identity theft monitoring; privacy and
security liability; business interruption; cyber extortion; hacker damage
costs; privacy regulatory defense and penalties; computer forensics
investigation; and a privacy attorney, according to Marciano and Ferrillo.

If a cyberterrorism attack led to an explosion at a nuclear power plant,
that damage would be covered by terrorism insurance, Hartwig said. But many
other costs associated with a data breach or a cyber attack are not. To a
large degree, terrorism policies are governed by language in the Terrorism
Risk Insurance Act (TRIA), a federal government backstop for private
insurers. TRIA got a lot of attention recently because Congress allowed it
to expire Dec. 31 before reauthorizing it this month.

Damages resulting from a cyber attack, such as theft of intellectual
property, theft of confidential information, reputation risk, lawsuits, the
cost of fines and penalties, notification to customers after a breach --
all of it is far beyond the scope of TRIA, Hartwig said.

In lieu of coverage through terrorism insurance, a business that gets
hacked will have to hope the attack is covered as part of its cyber
insurance. If there is a dispute about whether the hack was caused by a
terrorist group, it's likely to result in a legal battle.

"We are seeing the claims come in on cyber policies now. ... We are seeing
the disputes arise," said Roberta Anderson, a partner attorney in the
Pittsburgh office of K&L Gates LLP. Anderson is a member of the law firm's
global insurance coverage practice group and a co-founder of its cyber law
and cybersecurity practice group.

"Now, it takes awhile," she said. "Many of these policies, like other
policies, are subject to arbitration ... but many are not. It's still
relatively new, but certainly in the coming years we're going to start
seeing the disputes make their way through the courts."

Hartwig, of the insurance institute, said: "It would be preferential for it
to simply be worked out in the market with language worked out between
insurers and their clients, and brokers."

"The least desirable way is for it to be worked out in the courts," he
said, adding that the law tends to side with policyholders.

'Exposure Is Enormous'

Expensive, high-profile attacks in the past two years highlight the reason
businesses need some type of cyber coverage.

For example, The Home Depot Inc. estimated in September 2014 a total cost
of $62 million to investigate a data breach, provide credit monitoring
services to its customers, increase call-center staffing, and pay legal and
professional services. Home Depot expected $27 million to be covered by
insurance. In August 2014, Target Corp. said the company's expenses related
to a 2013 data breach totaled $148 million -- of which $38 million was
expected to be covered by insurance.

Cyber coverage has developed since early policies were available in 1999,
when businesses were concerned about widespread computer failures related
to the change from 1999 to 2000, dubbed Y2K or the Millennium Bug.
Stand-alone cyber coverage became more widespread about 10 years ago.

If a business had a general liability policy, it might have been enough to
protect the company against lawsuits stemming from a cyber attack in the
early 2000s. At some point in the relatively recent past, the frequency and
staggering costs associated with cyber attacks led to insurance companies'
specifically excluding cyber coverage, according to many in the insurance
industry.

In general, property-casualty insurance companies initially react to new
risks, like cyber attacks, by excluding them from standard
property-and-liability coverage, said Gerry Finley, senior vice president
of casualty underwriting and underwriting services for Munich Re America.

"And when that happens, that opens the door for very specific coverages to
be developed," Finley said. "You could actually go back all the way to the
environmental issues: pollution in the '80s, when it first emerged as a
risk that wasn't contemplated, to the extent that it emerged. Then you saw
exclusions being broadened, and that gave rise to a whole environmental
liability marketplace."

Cyber differs from pollution because of its prevalence -- almost everyone
has a computer, a tablet or a smartphone, he said. Additionally, the
economy has become so reliant on people staying connected through the
Internet.

"The extent of the exposure is enormous," he said.

Furthermore, cyber risk is different because of its complexity as
technology changes rapidly, which is a major challenge to company risk
managers who have the task of buying adequate insurance to protect a
business against all possible damages.

As in the early days of any insurance coverage, cyber policies and terms
are a mixed bag regarding what is covered and to what degree. Insurers
offer cyber coverage in different ways.

In the case of Sony Pictures Entertainment, the FBI insists North Korea was
responsible for the attack, but some cyber experts have disagreed. In the
Sony case, a group calling itself "Guardians of Peace" claimed
responsibility for destroying some Sony systems and stealing large
quantities of personal and commercial data. Guardians of Peace issued
threats against Sony, its employees, and theaters that distribute its
movies, according to the FBI.

Sony Pictures Entertainment did not respond to inquiries about its
insurance coverage, and whether it will cover lost revenue resulting from
extortion last month.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!