
Insurers balk at paying for some cyberattacks - pseudolus
https://thebulletin.org/2019/04/is-cyberwarfare-war-insurers-balk-at-paying-for-some-cyberattacks/
======
PakG1
I can't fathom insurance companies seriously and sincerely wanting to offer
insurance policies for infosec. I know they do. But it doesn't make sense to
me.

1\. The attack surface for any organization is so hard to defend that
insurance companies would probably have to pay out a lot more than for other
types of insurance policies.

2\. In an age that is increasingly tech and data-driven, the value of data
becomes larger and larger. Hence, the payout starts to get really expensive. I
find it difficult to imagine what kind of insurance premiums could be charged
to customers that are both affordable to the customer and also properly covers
the risk the insurer is taking on.

3\. Insurance companies are going to have to become infosec experts in order
to properly assess the risk of their clients. Are they up for that? There's
such a shortage of infosec workers already, or am I being fed a load of crap
by HN? Where would they find capable infosec experts to do these assessments
before quoting the client for an insurance policy? War for talent isn't easy.

I think this would all end up making insurance policies extremely expensive
and unprofitable for the insurance firms. Yes, I hope that this makes
organizations more serious about infosec, but I honestly don't see that
happening so long as the average joe is not outraged whenever a service they
use gets breached.

~~~
NetBeck
Insurance also creates a moral hazard regarding proper cybersecurity. A
risk/reward analysis may arrive to the conclusion that upgrading
infrastructure and hiring/training staff will be more expensive than simply
paying more for insurance.

~~~
viraptor
That doesn't seem to make sense from the insurer's point of view. If your
infrastructure is in a state so bad, then the risk is much higher and they
would charge more. There would have to be either some kind of review before
signing the paperwork, or the rules would exclude negligence in basic ops.

Similar to how house insurance will ask if all entries have locks and the
structure is sound/secure. If they prove it was left open - you're not getting
your payout.

------
jw1224
I was tasked a couple of years ago with obtaining cyber insurance cover for my
previous employer. Their business was an in-house B2B web application, used by
hundreds of their staff, thousands of their customers, and hundreds of
thousands of their customers' clients.

I looked in to 5 different insurers — these were all major, internationally-
recognised financial juggernauts — before abandoning the project entirely.

Every single insurer based their quotation and assessed our risk on some
variant of the following:
[https://i.imgur.com/3pB2LSa.png](https://i.imgur.com/3pB2LSa.png)

I had to go back to each one and ask them:

— How do they define a "record"?

— How do they define "transmitting" a record?

— How do they define "processing" a record?

— Which forms of "encryption-at-rest" do you consider acceptable?

— Which forms of "encryption-in-transit" do you consider acceptable?

— None of our data is "stored" on mobile devices, but it is "accessed" through
them — so what does this mean for mobile device encryption?

— None of our data is "stored" on portal storage media as standard, but
nothing would stop a user saving a screenshot to their USB stick — so what
does this mean for portal storage media encryption?

Not a single insurer had any clue what I was talking about.

~~~
rlpb
You might be interested in
[https://en.wikipedia.org/wiki/Contra_proferentem](https://en.wikipedia.org/wiki/Contra_proferentem)

If they drafted the contract and they are ambiguous, legal questions raised
later that fall into the ambiguity will generally be resolved in your favor.
As long as, for example, you use a generally accepted standard for
"encryption-at-rest", you should be fine, legally speaking.

(I am not a lawyer)

~~~
unmole
From the Wikipedia link you posted:

"The doctrine is not, however, directly applicable to situations where the
language at issue is mandated by law, as is often the case with insurance
contracts and bills of lading."

------
cubecul
The title is an interesting question, and I would recommend "How Everything
Became War and the Military Became Everything: Tales from the Pentagon" by
Rosa Brooks to dig into this question more.

The basic premise is that our simple "war vs. peacetime" framework no longer
works.

Is cyberwarfare war? Maybe, maybe not.

What about one-off drone killings? The US definitely doesn't consider that
war. But when you're at peace, killing someone like that is totally not OK.

What about US military involvement in building infrastructure in developing
nations? Probably depends on which country it is, and what "infrastructure"
means.

I just never really thought about this question much before, and I thought it
was a thought-provoking read (spoiler: no answers provided) if you haven't
thought about it either.

~~~
mc32
Like other aspects of war I think this also depends on variables.

Was it war when German Uboote sank our supply ships enroute to the UK? Not for
a while. Was of war when Iran captured US navy seamen in the Arabian gulf?

Is it war when NoKo does the Sony hack? If they start shelling SoKo and they
also pull some “cyber” to use military lingo, then it’ll probably be war. In
the meantime it’s more like spying/sabotage (which can be part of war, but by
themselves aren’t)

~~~
rand84545
>Was of war when Iran captured US navy seamen in the Arabian gulf?

On January 12, 2016, two United States Navy riverine command boats were seized
by Iran's Islamic Revolutionary Guard Corps (IRGC) Navy after they __entered
Iranian territorial waters __near Iran 's Farsi Island in the Persian Gulf.

------
basetop
No. But it can be an "act of war". There is a difference war and an act of
war.

An "act of war" or any casus belli doesn't necessarily lead to war. Economic
sanctions are "acts of war" but most do no lead to an actual war.

------
robterrin
The articles going around about insurers not paying cyber claims that cite
Mondelez are disingenuous. The Mondelez policy was a property & casualty (P&C)
policy with an extension for some data property, not a separate cyber
insurance policy. It's quite possible that insurers would balk at the claim
considering it an act of war, but they haven't done it yet. In my opinion,
this case is more about the wrong type of coverage. Mondelez should have
purchased a stand alone policy.

------
lugg
Surprised it took this long.

Funnily enough it might be what gets the bigger players to wake up and do some
basic security.

