
Big Companies Thought Insurance Covered a Cyberattack - tysone
https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html
======
nimbius
its pretty spectacular what major insurance does not cover in the digital
context.

For example, I work as an automotive engine mechanic for a small chain of
midwestern shops. Recently we had a Tesla owner drive in for servicing a
recalled suspension control arm. We were approved to do the work by Tesla and
had the parts shipped directly from California. once the work was completed,
we informed the customer in the waiting room, who immediately took it upon
himself to "auto-pilot" the car out of the garage while it was still on the
lift.

The car happily obliged, and backed itself off a lift six and a half feet to
the ground in a pretty spectacular display. No one was hurt thankfully,
however our shop insurance refused coverage for our damaged lift, and the
Tesla owners auto insurance refused coverage as well because he was
technically not driving the car at the time. The customer had to pay out of
pocket for repairing his car, as well as our lift.

~~~
user5994461
I'm not sure to understand, is there a thing to have your car drives itself
home on the press of a button, from the internet?

~~~
throwaway2016a
It lets you go forward and back. Only works if you are within Bluetooth range
and keep your finger on the button in the app. If you let go the car stops. It
will actually make minor turns to avoid hitting stuff. Though apparently not
going off cliffs.

Good for a party trick but in general I have yet to find a good real use case
for it.

Using it without being able to see your car is pure idiocy.

~~~
dsfyu404ed
>Good for a party trick but in general I have yet to find a good real use case
for it.

It's particularly hilarious when you and several buddies are watching the
meter maid try to put a ticket on it. It's probably occasionally useful for
adjusting a car in the driveway but yeah, it's 99% party trick.

It could theoretically be useful for attaching a trailer but most Tesla owners
aren't doing that and the collision detection system will probably go crazy
and prevent you from getting close enough to the trailer to actually couple it
to the car.

~~~
chris_mc
Yes, humiliating other people is hilarious...

~~~
dsfyu404ed
I assure you it wasn't nearly as big of an obstacle to the guy writing the
ticket as you think it would be. Humans are very good at improvising when a
new situation is thrown their way.

~~~
chris_mc
I assure you, bothering someone like this when they are trying to get through
their day is not hilarious to that person. Not only did your friend act like
an ass and part illegally or over the time limit, but they then risked
possibly running over a person's foot or something while fucking around.

------
krisrm
This is messy. On one hand, how are insurers supposed to properly cost and be
able to provide payouts for a "cyberattack", which might be anything from "our
company website was DDoSed for 30 minutes and we lost 50 customers" to "our
production lines were shut down and our company ground to a halt for two
weeks"?

On the other hand, if insurers know they can invoke a cyberwarfare clause and
deny a claim, even if the attack may not have been state sponsored, the
insurance is certainly worthless.

~~~
arcticbull
IMO this feels like the whole point of insurance. You could restate this as
"how are insurers supposed to cost and provide payouts for fires in the
factory? It could be anything from a tiny, contained garbage can fire to the
whole place going up in a blaze! [0]" Or chemicals in the case of TSMC [1]. Or
blackouts at Samsung [2]. Any of this could have been industrial espionage on
the same scale as a state-sponsored cyberattack. This is the domain of
actuaries.

Of course, they're neither required nor obligated to provide such cover.

[0] [https://www.extremetech.com/computing/166775-ram-
pricewatch-...](https://www.extremetech.com/computing/166775-ram-pricewatch-
memory-spikes-in-wake-of-hynix-fire-but-for-how-long)

[1] [https://asia.nikkei.com/Business/Companies/TSMC-
takes-550m-h...](https://asia.nikkei.com/Business/Companies/TSMC-
takes-550m-hit-from-defective-chemical-at-chip-plant)

[2] [https://www.anandtech.com/show/12535/power-outage-at-
samsung...](https://www.anandtech.com/show/12535/power-outage-at-samsungs-fab-
destroys-3-percent-of-global-nand-flash-output)

~~~
ozim
Where I live you pay premium, let's say $50 a month and then you get let's say
$10000 of your damages covered. So that is what you get from insurance company
$10000 and the rest is yours to pay. They just look at the probability like
"hey this guy is storing fuel, fire insurance for someone who stores fuel is
$100 a month and we can pay only up to $20k".

So it is easy to calculate for insurance companies, they don't go over the
factory inventorying what you have in factory.

    
    
      It is your responsibility. (they only go after to see what was damaged, because that i what they care about)  
    

Of course you can pay some insurance expert to assess your assets and tell you
to buy more expensive or less expensive insurance but there are no magic super
specific algorithms for "if 10 people die we pay $50k if 20 people die we pay
$100k". All insurances pay up to some amount based on what is your
monthly/yearly payment.

------
burtonator
It might actually be a good thing in the long term as insurance companies may
require 3rd party audits and that you comply with basic security practices.

~~~
msla
It might well kill the use of open source and small-company software in
business, in that the developers/management behind said code can't pay
insurance companies to say that their code will pass audit. Microsoft and
Oracle will pass with flying colors, of course.

~~~
jabart
Doubt it, there are a lot of PCI Compliant businesses that get audited with
open source software in their systems. I'm sure they have a node_modules
somewhere on their build server.

When you have an attack that moves from your servers to your desktop
computers, you have a network issue, which would be covered in an audit to
verify you properly segment your network instead of having it in one large
broadcast domain.

------
gcbw2
Interestingly, this might be the solution for digital security.

Get a nany state (Hello California) to force companies to have Insurance for
Cyberattack.

Insurance companies will learn instantly how to do due diligence for-real (as
opposed of for compliance certification) to decide if they get clients or not.

Companies then, forced to have insurance, will have to implement minimal
safeguards to be accepted in the insurer policy requirements.

Problem solved.

~~~
j88439h84
If the business lost $100M as claimed, they may want to pay for cyber-attack
insurance without being required to do so.

------
tedmcory77
Wow, this is huge. If cyber insurance doesn't cover cyber attacks, then what
does it cover? Having seen the process for cyber insurance paying out for an
intrusion, I'd be super concerned if I were a CSO/Chief Risk Officer and
there's a chance the cyber insurance wouldn't cover you.

~~~
MiroF
Seems a very odd strategy for cyber-insurance companies to take... If I were a
large company insured by Zurich right now, I would definitely be reconsidering
giving them my money.

------
DevX101
There's massive room in the market for a security-first company that offers
insurance as a guarantee.

This company would essentially operate as the security team for clients and
put in contractually enforced policies and follow through on implementation.
If a client decides to not implement required security practices, then their
policy immediately gets dropped.

This is the only scalable way I'd see to implement real insurance against
cyber-attacks.

~~~
bitjson
Our startup is working on this problem, initially for the javascript
ecosystem. We’re offering insurance against vulnerabilities in javascript
dependencies: [https://bitauth.com/](https://bitauth.com/)

We have open source developer tooling for signing and verifying signatures of
javascript packages, and we’re offering security as a service, backed by up to
$1M in insurance coverage.

We’re still in beta, but we’d love feedback from HN!

------
DontGiveTwoFlux
Most insurers require customers to limit their risk in all kinds of ways.

I’m curious if there are cyber mitigation’s that are out there, such as
mandatory two factor authentication, requiring up to date software and OSes or
other measures. It seems like any insurance company would Be highly Interested
in forcing these best practices.

~~~
csours
You can do 1,000 things right, but one thing wrong may still sink you.

With cybersecurity, there is an active adversary. I'm not sure insurance ever
wants to take on that kind of risk. If they don't want that risk they
shouldn't sell insurance.

------
gibolt
If you are a large target many actors will be looking for your weaknesses. One
bad actor will eventually find it, or just trick your employees to give them
access.

Companies should make a solid effort to prevent the possibility, but I'm torn
on what ramifications should be.

~~~
burtonator
> One bad actor will eventually find it, or just trick your employees to give
> them access.

or do what the Russians do and use kompromat

~~~
Something1234
What is "kompromat"?

~~~
sk5t
It's leverage over an individual--whether that's secrets that might be
released, financial problems, or whatever.

------
Maven911
Similar to not relying on cyberinsurance when things go awry, the field as a
whole is in an interesting shape where on one hand there is a dearth of
skilled employees (1 million globally supposedly, according to reports), and
on the other hand companies that do not want to train IT works with the
necessary cybersecurity skillsets to fill the gap, and in turn rely less and
less on the red herring of cyberinsurance. Talking to my colleagues who are
looking to break in, even after taking training/seminars, which can be quite
pricey, employers will tend to hire for junior roles at best.

------
dontbenebby
Sounds like a big "out" is claiming an attack was an act of war. But very few
nations declare war nowadays. They have "police actions" or "peacekeeping
missions.

Maybe telling these companies "no war was declared, so you must pay out" would
be a good thing.

Insurance companies are powerful lobbyists both in the traditional K street
sense, and the soft power sense.

(For the soft power sense, picture a major insurance company telling a nation
state their state owned businesses can self insure moving forward, since the
business cannot handle the risks they generate.)

~~~
OldHand2018
> Maybe telling these companies "no war was declared, so you must pay out"
> would be a good thing.

That goes against centuries of precedence. The only difference now is that it
was "on the Internet".

------
rolph
how can in insurance company declare a state of cyberwar, or any other war in
general. I thought that was exclusively a government function.

By extension could we deny coverage when a bunch of crackheads raid someones
home, simply chalking one up to the war on drugs?

