Blog / Cyber Insurance is Not Cyber Protection
As TRINUS’s cyber security specialist, I often advise and assist clients filling out cyber insurance applications. To be blunt, when it comes to cyber insurance forms, they’re a mess. Some are reasonable and even intelligent. Others have interesting new perspectives and clauses. And still others seem to have been written by clowns or circus animals. They’re all over the place. Thankfully the overall standard for cyber insurance applications has rapidly improved.
The industry is highly motivated to get its act together. The reason? Money. The possibility for losses are staggering. Recently pharmaceutical giant Merck won their $1.4 billion USD lawsuit with its insurance provider. A serious ransomware attack struck approximately 40,000 of their computers, a digital disaster that took enormous time and effort to sort out.
Merck was hit with NotPetya, a strain of ransomware whose alleged creators are possibly tied to the Russian military. Merck’s insurers argued this justified denying the claim under a “War or Hostile Acts” clause of the policy. The court disagreed.
“Acts of God” and “Acts of War” are common clauses in insurance policies. The cost of large-scale tragedies are enormous, so it’s unsurprising that many insurers write an escape clause into their policies for such situations.
That said, the question remains; can a cyber attack constitute an “Act of War,” particularly when no bombs are going off, no bridges are being destroyed, and no neighbourhoods are being washed away by a mudslide.
The thing is, certain strains of malware have been reasonably demonstrated to be run by various state actors. While we’re not likely to experience a physical act of war in our daily lives, thanks to the global reach of the internet it actually really is possible to experience an act of war online.
Now, this whole affair isn’t just about an insurer trying to get out of paying out a claim with what we might first think to be a flimsy excuse; it’s also about the how the contract was worded. Policy clauses the industry assumed were tight finally got tested in court and failed. You can bet good money both Merck’s and other insurers are already rewording war clauses in their own cyber insurance policies.
As for practical advice, I would recommend two things to any organization with a cyber insurance policy. First, take a good look at all of the exception clauses in your own contracts. Make sure you understand them, and not just because that’s important info you should know anyways (and it is). It’s also because secondly, take a good look at your defenses and improve them, particularly in areas where you identified gaps and escape clauses in your policy. Insurance is not protection. It won’t defend you against an attack of any kind. Insurance is there to help you recover when something goes wrong. You’re supposed to do everything you can to avoid ever needing to use it.
Macbeth holds the quote for this week’s bit of Shakespeare: “Art thou afeard to be the same in thine own act and valour As thou are in desire?”
If you have any questions about cyber insurance, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.