Insurance May Not Be the Answer to Cyber Risk Concerns

From the Blog

Buying a cyber insurance policy may be a norm for businesses, but having a clear sense of the specific assets you are trying to cover and what threats and vulnerabilities might lead to the loss is crucial to making sure that insurance covers everything you need.

Take, for example, the case of Mondelez, a Kraft subsidiary. The company, suffered extensive damage from 2017’s #NotPetya malware attack. (They are not the only ones.) The U.S. government attributed that attack to Russian government hackers aiming to take down the Ukrainian power grid but #NotPetya also disabled Mondelez’s inventory control system in the U.K. and caused the company tens of millions of dollars in damage. Its cyber insurer claimed that any damage caused by #NotPetya was exempted from coverage under the act of war clause in the policy. The case is now headed to a lengthy court battle to resolve whether cyber collateral damage of an attack by a nation state is an act of war.

Reach out to Foresight Resilience Strategies today to find out how our risk assessment service can help you learn more about your cyber risk and the multiple ways to manage it.

Mondelez might have wanted to take a closer look at its risk through an actuarial model like the Factor Analysis for Information Risk (FAIR) standard. With a financial model of potential losses provided by a FAIR assessment, Mondelez could have recognized the limitations of a cyber insurance policy and tried to take advantage of other ways of accepting, avoiding, mitigating, or exploiting the risk. The financial model provides, for example, a way of comparing the cost of developing a system for operating when the computerized inventory system goes down with the risk reduction generated by such a mitigation.

Photo from megawatts86 via Flickr

There are also narrower exceptions that can provide a way for an insurance company to avoid coverage for a cyber policyholder. In one recent example, The National Bank of Blacksburg suffered theft through its ATM network where the attackers removed security controls at ATM machines by stealing credentials through phishing and compromising the bank’s IT systems. The bank’s insurer, Everest National Insurance Company, claimed the ATM attacks were only covered under the part of the policy that dealt with ATM theft. That coverage had an aggregate liability limit of $250,000. The insurer claimed the computer and electronic crime (C&E) rider, which provided $8 million of coverage, did not apply. This case, too, could take years to resolve.

Finally, it is worth noting that sometimes the damage is not merely financial and an insurance policy cannot make you whole again. A two-doctor practice in Battle Creek, Michigan decided to close its doors at the end of April after a ransomware attack earlier this year encrypted its IT infrastructure — not only patient records but also financial and scheduling systems — so that the practice could not recover the information or determine a way to rebuild and continue functioning. An insurance payout might have been helpful to offset the financial pain but it would not have saved the practice.

There is no way to accurately predict the future, but there are better ways to prepare and avoid surprises. For companies that have data without which they can not generate their primary value proposition, there is a need to have a much better sense of what the impact of a cyber incident will be and how likely such an incident is:

  • Use a quantitative financial measurement to measure risk;
  • Develop a real sense of loss exposure and what coverages align with exposure;
  • Ensure the policy you seek will cover the assets, threats, and vulnerabilities already identified;
  • Decide whether to transfer, avoid, mitigate, or accept risk on a cost-effectiveness basis.

Foresight Resilience Strategies can help you develop a plan to take control of your cyber risk. Follow up with us to find out how our risk assessment service can help you learn more about your cyber risk and the multiple ways to manage it.

Adam Bobrow