Hacker News new | past | comments | ask | show | jobs | submit login
Big Companies Thought Insurance Covered a Cyberattack (nytimes.com)
102 points by tysone 3 days ago | hide | past | web | favorite | 88 comments





its pretty spectacular what major insurance does not cover in the digital context.

For example, I work as an automotive engine mechanic for a small chain of midwestern shops. Recently we had a Tesla owner drive in for servicing a recalled suspension control arm. We were approved to do the work by Tesla and had the parts shipped directly from California. once the work was completed, we informed the customer in the waiting room, who immediately took it upon himself to "auto-pilot" the car out of the garage while it was still on the lift.

The car happily obliged, and backed itself off a lift six and a half feet to the ground in a pretty spectacular display. No one was hurt thankfully, however our shop insurance refused coverage for our damaged lift, and the Tesla owners auto insurance refused coverage as well because he was technically not driving the car at the time. The customer had to pay out of pocket for repairing his car, as well as our lift.


> The customer had to pay out of pocket for repairing his car, as well as our lift.

Given the level of dangerous stupidity they displayed, that seems like a decent enough outcome.


> Given the level of dangerous stupidity they displayed

Wouldn't that apply to most car accidents on the road? Stupid decisions by at least one party leading to someone's insurance paying the bills?


This is why the first thing Tesla service does is disable mobile access while the car's in the shop.

I have a tough time believing this.

1. You're telling me you had a vehicle up on a lift, by its wheels, and there was no chuck or gates to stop the vehicle from rolling?

2. I'm assuming you're saying the customer used "Summon" to remotely move the car. a. Summon will immediately stop the car if it detects even the slightest bump. b. Summon will immediately stop the car if it detects the wheels are off the ground, which is relevant because: c. Summon moves the vehicle at like 3mph, so even if the vehicle was AWD, since most of the weight (which is distributed throughout the vehicle) is still over the lift, there is definately not enough momentum to push it off the lift. d. I am fairly doubtful the auto insurance would not cover this, especially if the guy had comprehensive insurance.


Chucks are there to stop a vehicle from accidentally rolling or pushed away. They aren't designed to stop an electric vehicle (that has tons of low rpm torque) from being purposefully driven off.

Like I said, Summon will immediately stop the car if it detects even the slightest bump.

Tesla's Summon mode has very low torque limits, it will barely make it up a slightly slanted driveway.

Me too. Doesn't make any sense.

auto-pilot requires the driver to be in the vehicle, i'm guessing this was the summon feature activated from their app? what a complete waste

If this is what happened, it's not that stupid on the part of the customer. Or perhaps better phrased, it's within the realm of what I would expect some users to do given this feature.

Tesla should have accounted for this.


It's still _extremely stupid_ on the part of the customer (if it really happened). No smart person would begin Summon if they can't even see the car. And if they _could_ see the car _on the lift_ and still began Summon, then they're they dumbest person in the world.

That feature (Advanced Summon) isn't even out yet. Only a tiny fraction of beta testers have it, so it's unlikely that this idiot has the feature.

Secondly, Tesla specifically states that you must have the car in line of sight before you enable Summon (which only goes straight forward and backward by 25 feet), so this guy is absolutely a complete moron for doing that.


> Secondly, Tesla specifically states that you must have the car in line of sight before you enable Summon

Just how explicitly is this instruction presented? For better or worse, I don't think you can expect users to read everything presented to them. (Partly because we bombard them with cookie notices, ads, and other crap)


You don't need to read anything to know you don't tell your car to move by itself if you can't see it, with current Summon. With the new Advanced Summon, you would not need to see the vehicle because it would have move protections in place. But you still wouldn't Advanced Summon the car if you don't even know where it is (e.g. still on the lift or not)...unless you're a moron.

Its not an instruction, its a software limitation. If you aren't close enough to the car, summon doesn't work. I think its basically bluetooth range.

Enhanced summon is a different story, though that feature basically no one has yet.


You wouldn't happen to have captured this on video, would you? I'm not sure if this is more unfortunate or hilarious.

I'm not sure to understand, is there a thing to have your car drives itself home on the press of a button, from the internet?

It lets you go forward and back. Only works if you are within Bluetooth range and keep your finger on the button in the app. If you let go the car stops. It will actually make minor turns to avoid hitting stuff. Though apparently not going off cliffs.

Good for a party trick but in general I have yet to find a good real use case for it.

Using it without being able to see your car is pure idiocy.


I have a gym in my garage that folds up into the wall. I use summon to pull the car out of garage before a workout and pull it back in when done. It’s a small thing but something I do every night. The convenience is just a really great nice to have.

>Good for a party trick but in general I have yet to find a good real use case for it.

It's particularly hilarious when you and several buddies are watching the meter maid try to put a ticket on it. It's probably occasionally useful for adjusting a car in the driveway but yeah, it's 99% party trick.

It could theoretically be useful for attaching a trailer but most Tesla owners aren't doing that and the collision detection system will probably go crazy and prevent you from getting close enough to the trailer to actually couple it to the car.


It's great for parking in cramped spaces, at least at home (where you won't get yelled at in a public parking lot). I use it daily so that I can get out of my car before parking it in my carport next to my neighbor's giant SUV.

I could see it useful to have “Tesla” parking spots that are 10% narrower to improve space utilization.

Yes, humiliating other people is hilarious...

I assure you it wasn't nearly as big of an obstacle to the guy writing the ticket as you think it would be. Humans are very good at improvising when a new situation is thrown their way.

I assure you, bothering someone like this when they are trying to get through their day is not hilarious to that person. Not only did your friend act like an ass and part illegally or over the time limit, but they then risked possibly running over a person's foot or something while fucking around.

It has been useful for in the past to get out of a parking spot that in my absence has become too small to open the doors adequately.

today, the public software allows you to move it backwards and forwards through the application if you're within range of the vehicle

Suspension, so you'd be lifting from the body of the car instead of the tires in order to access the components (and surely remove the wheels), right? Then how in the world would something like this happen? Need more details.

We need to see pics.

Sounds like a tall tale.

Your comment seems to be attracting a lot of first-time posters taking defensive positions on Tesla's behalf...

This is messy. On one hand, how are insurers supposed to properly cost and be able to provide payouts for a "cyberattack", which might be anything from "our company website was DDoSed for 30 minutes and we lost 50 customers" to "our production lines were shut down and our company ground to a halt for two weeks"?

On the other hand, if insurers know they can invoke a cyberwarfare clause and deny a claim, even if the attack may not have been state sponsored, the insurance is certainly worthless.


IMO this feels like the whole point of insurance. You could restate this as "how are insurers supposed to cost and provide payouts for fires in the factory? It could be anything from a tiny, contained garbage can fire to the whole place going up in a blaze! [0]" Or chemicals in the case of TSMC [1]. Or blackouts at Samsung [2]. Any of this could have been industrial espionage on the same scale as a state-sponsored cyberattack. This is the domain of actuaries.

Of course, they're neither required nor obligated to provide such cover.

[0] https://www.extremetech.com/computing/166775-ram-pricewatch-...

[1] https://asia.nikkei.com/Business/Companies/TSMC-takes-550m-h...

[2] https://www.anandtech.com/show/12535/power-outage-at-samsung...


Where I live you pay premium, let's say $50 a month and then you get let's say $10000 of your damages covered. So that is what you get from insurance company $10000 and the rest is yours to pay. They just look at the probability like "hey this guy is storing fuel, fire insurance for someone who stores fuel is $100 a month and we can pay only up to $20k".

So it is easy to calculate for insurance companies, they don't go over the factory inventorying what you have in factory.

  It is your responsibility. (they only go after to see what was damaged, because that i what they care about)  
Of course you can pay some insurance expert to assess your assets and tell you to buy more expensive or less expensive insurance but there are no magic super specific algorithms for "if 10 people die we pay $50k if 20 people die we pay $100k". All insurances pay up to some amount based on what is your monthly/yearly payment.

> On one hand, how are insurers supposed to properly cost...

That's more or less the core competency of insurance providers...


Well, no argument there, but I wrote more words in that sentence that you cut off.

My point is, that a "cyber attack" is poorly constrained, compared to something like a fire or a flood... a company only has so many assets, valued at $X that are liable to be burned to the ground or ruined by a flood, and these constraints can be modeled and adjusted for. Perhaps I am mistaken, I don't see a cyberattack as being analagous to anything else in the insurance industry.


>> compared to something like a fire or a flood

Those are not easy things. People litigate the difference between fire and flood damage all the time. (Putting out a fire normally involves lots of water.) Sometimes flooding in building X even causes a fire in building Y. Is that covered by "fire" or "flood" insurance? The difference between various cyber attacks isn't substantively more complicated than any of the traditional insured risks. The issue is that insurers haven't invested in the experts needed to properly assess those risks. That is their problem to solve, not the customer's.


Agreed with everything you said, though 'its their problem to solve' should they decide to offer cyberattack coverage and sell it, otherwise it is the customers.

If it's so hard to model then why are these insurance companies offering "cyberinsurance" in the first place?

Well a fire can do anything from cause a slight smell -- bread toaster or battery dropped in to a metal bin, maybe -- all the way to complete destruction of property and loss of lives, potentially ending the business. Seems relatively analogous in that respect to cyber attack?

Maybe I'm misunderstanding but aren't a fire and a cyberattack both capped at 100% of the value of the company? If the fire takes out the whole place, or a cyberattack empties out an equivalent amount from their bank accounts, the difference feels immaterial.

What if a fire spreads to other properties not owned by the insured or destroys things on company premises but not owned by the company?

Fair point, I was wrong to say 100% of the property value, though I imagine the upper bound of the damage is fairly comparable in both cyber attacks and physical attacks.

perhaps riot or vandalism [acts of civil disobedience]

Insurers are under no obligation to offer policies which cover cyber attacks, and can even explicitly exempt them in their policies.

However, in this case:

> Mondelez said in a statement that while its business had recovered quickly from the attack, Zurich Insurance was responsible for honoring an insurance policy that explicitly covers cyber events.


This hinges on the US assigning attribution, and to be fair, the US probably has a better idea than an insurance company.

If the FBI publicly arrests some teenager or former employee related to a company hack, and the insurance tries to use a cyberwarfare exception, then we can go grab the pitchforks.

Both sides of this are going to get tested though: does the US actually have a definition for cyberwarfare and is that the same as what's in the insurance contract? Do countries have to publicly declare cyberwar (but not necessarily regular war) on other countries for this clause to be valid? What due diligence do companies have to do to prove they weren't part of a cyberwarfare hack?

This headline is misleading though. Big Companies know what's in those contracts. Maybe this is a kick in the pants for more scrutiny of those contracts to strike things like cyberwarfare.


But the definition of "cyberwarfare" is unclear.

If Russia declared war on the US, and attacked US companies, it's pretty clear this is cyberwarfare.

If Anonymous DDoS's your website of some vendetta, because they declared "war" on your company, is that cyberwarfare? Does a declaration of war by a non-nation-state count as cyberwarfare?

If North Korea compromised your servers to mine Bitcoin, is that cyberwarfare? Does any action by a nation-state count as cyberwarfare?


> how are insurers supposed to properly cost and be able to provide payouts

This is what insurance companies do..



> how are insurers supposed to properly cost and be able to provide payouts for a "cyberattack", which might be anything from "our company website was DDoSed for 30 minutes and we lost 50 customers" to "our production lines were shut down and our company ground to a halt for two weeks"?

The same way they properly cost and provide payouts for, say, fire which might be anything from "one room got slightly scorched" to "the entire building burned down".


It wouldn’t surprise me if at first insurers throw their own internal security teams at this. They’re used to auditing third party systems, because insurers are constantly working with externally developed software and other companies.

You could go a long way just building out a team with both underwriters and security professionals to setup baseline standards and evaluate customers against those.


Auto insurers have no problem covering claims ranging from a chip in a windshield to eight car pileups with multiple fatal and life-altering injuries. The range of possible losses doesn't really make it harder for insurers. The fuzzy definition of an act of cyber war is what makes it hard for policyholders though.

Nah, what makes it hard for insurers isn't that we don't know what an "act of cyber war" is. That just comes up when they try to get _out_ of it, and the same thing comes up with non-cyber "acts of war" -- it might make it hard on customers who are trying to file claims, but it's not hard on the companies.

But it _is_ hard on insurerers to do under-writing on cyber attacks -- UNRELATED to the "war" exemption, even non-war attacks. Because it's _new_, so they don't have all the historical data and methods for estimating risk. As others are saying, this is the business insurance companies are in, estimating statistical risk and figuring out the right premiums to charge to cover it. But the cyber stuff is new, which _does_ make it hard.

As original article says:

> Cyberattacks have created a unique challenge for insurers. Traditional practices, like not covering multiple buildings in the same neighborhood to avoid the risk of, say, a big fire don’t apply. Malware moves fast and unpredictably, leaving an expensive trail of collateral damage.

But nobody said they had to cover cyber stuff. They can put stuff in their policies saying they don't cover it at all, if they don't know how to underwrite it. What they can't do is put stuff in their policies saying they cover it, take your premiums on that basis, but then try to weasel out of it.


It might actually be a good thing in the long term as insurance companies may require 3rd party audits and that you comply with basic security practices.

More like in the short term. A friend of mine just got a job at a SF startup for that. They're a consultancy which evaluates computer security for insurance companies, before they insure a business. She used to work on AI for intrusion detection, so they're hiring serious people for this.

There are specialty insurance companies which cover specific risks and know how to evaluate them. The classic is The Hartford Steam Boiler Insurance Company.[1] They were the first insurance company willing to insure steam boilers. About half their employees are boiler inspectors. When they started, in 1866, nobody else would touch that business.

They inspect before they insure. Typically, they send inspectors and provide the boiler owner with a to-do list. Then they come back to see if everything was fixed. Only then does HSB write a policy. Their policies give them the right to come in at any time and inspect. Which, randomly, they do.

Boring old Hartford Steam Boiler is expanding into computer systems insurance.[2] But they are not as hard-ass about inspections as they are with boilers, unfortunately. They know how to keep boilers from blowing up. Computer security isn't there yet.

[1] https://www.munichre.com/HSB/about-hsb/index.html

[2] https://www.munichre.com/HSB/cyber-insurance/index.html


> They're a consultancy which evaluates computer security for insurance companies, before they insure a business.

Can you share the name of the company?


But do audits show compliance with basic security practices, or compliance with PCI DSS and other standards which may be orthogonal to security?

In this case it would be the insurance company who requests the audit, so there would be incentives to ensure that the audits are meaningfully preventative.

Good point!

Insurance companies already do this but that's not the point at all. You can be the victim of a cyberattack even if you do everything right and the insurance company will refuse to pay out of it's tied to (perhaps with little evidence) to a state-funded attack.

It might well kill the use of open source and small-company software in business, in that the developers/management behind said code can't pay insurance companies to say that their code will pass audit. Microsoft and Oracle will pass with flying colors, of course.

Doubt it, there are a lot of PCI Compliant businesses that get audited with open source software in their systems. I'm sure they have a node_modules somewhere on their build server.

When you have an attack that moves from your servers to your desktop computers, you have a network issue, which would be covered in an audit to verify you properly segment your network instead of having it in one large broadcast domain.


It could just as well lead to better support models for contributions to fix and audit open source.

The open source model is benefiting too many businesses to just up and throw it out.


Interestingly, this might be the solution for digital security.

Get a nany state (Hello California) to force companies to have Insurance for Cyberattack.

Insurance companies will learn instantly how to do due diligence for-real (as opposed of for compliance certification) to decide if they get clients or not.

Companies then, forced to have insurance, will have to implement minimal safeguards to be accepted in the insurer policy requirements.

Problem solved.


If the business lost $100M as claimed, they may want to pay for cyber-attack insurance without being required to do so.

Wow, this is huge. If cyber insurance doesn't cover cyber attacks, then what does it cover? Having seen the process for cyber insurance paying out for an intrusion, I'd be super concerned if I were a CSO/Chief Risk Officer and there's a chance the cyber insurance wouldn't cover you.

Seems a very odd strategy for cyber-insurance companies to take... If I were a large company insured by Zurich right now, I would definitely be reconsidering giving them my money.

There's massive room in the market for a security-first company that offers insurance as a guarantee.

This company would essentially operate as the security team for clients and put in contractually enforced policies and follow through on implementation. If a client decides to not implement required security practices, then their policy immediately gets dropped.

This is the only scalable way I'd see to implement real insurance against cyber-attacks.


Our startup is working on this problem, initially for the javascript ecosystem. We’re offering insurance against vulnerabilities in javascript dependencies: https://bitauth.com/

We have open source developer tooling for signing and verifying signatures of javascript packages, and we’re offering security as a service, backed by up to $1M in insurance coverage.

We’re still in beta, but we’d love feedback from HN!


Most insurers require customers to limit their risk in all kinds of ways.

I’m curious if there are cyber mitigation’s that are out there, such as mandatory two factor authentication, requiring up to date software and OSes or other measures. It seems like any insurance company would Be highly Interested in forcing these best practices.


You can do 1,000 things right, but one thing wrong may still sink you.

With cybersecurity, there is an active adversary. I'm not sure insurance ever wants to take on that kind of risk. If they don't want that risk they shouldn't sell insurance.


This particular attack wouldn't have been mitigated by any of that. This is why you also have insurance in addition to doing everything you can to prevent an attack.

Mandatory snake oil

If you are a large target many actors will be looking for your weaknesses. One bad actor will eventually find it, or just trick your employees to give them access.

Companies should make a solid effort to prevent the possibility, but I'm torn on what ramifications should be.


> One bad actor will eventually find it, or just trick your employees to give them access.

or do what the Russians do and use kompromat


What is "kompromat"?

It's leverage over an individual--whether that's secrets that might be released, financial problems, or whatever.

Materials for compromising someone. Blackmail material.

If you want a great fictional interpretation (I don't know how accurate it is): https://en.wikipedia.org/wiki/The_Americans_(2013_TV_series)

It's where you do your dirty laundry.

Blackmail

> Companies should make a solid effort to prevent the possibility

Isn't this what they do and then hedge the risk by covering their potential losses with insurance?

If companies are not doing a good enough job with security, why does the cyber insurance not cost more? Priced properly, companies can choose between buying more coverage versus throwing more money at the "security problem."


Similar to not relying on cyberinsurance when things go awry, the field as a whole is in an interesting shape where on one hand there is a dearth of skilled employees (1 million globally supposedly, according to reports), and on the other hand companies that do not want to train IT works with the necessary cybersecurity skillsets to fill the gap, and in turn rely less and less on the red herring of cyberinsurance. Talking to my colleagues who are looking to break in, even after taking training/seminars, which can be quite pricey, employers will tend to hire for junior roles at best.

Sounds like a big "out" is claiming an attack was an act of war. But very few nations declare war nowadays. They have "police actions" or "peacekeeping missions.

Maybe telling these companies "no war was declared, so you must pay out" would be a good thing.

Insurance companies are powerful lobbyists both in the traditional K street sense, and the soft power sense.

(For the soft power sense, picture a major insurance company telling a nation state their state owned businesses can self insure moving forward, since the business cannot handle the risks they generate.)


> Maybe telling these companies "no war was declared, so you must pay out" would be a good thing.

That goes against centuries of precedence. The only difference now is that it was "on the Internet".


Don't forget, though, that the U.S. and North Korea are officially still at war, since no peace treaty was ever signed. So pin a cyber attack against a U.S. entity on N.K. and there you are!

how can in insurance company declare a state of cyberwar, or any other war in general. I thought that was exclusively a government function.

By extension could we deny coverage when a bunch of crackheads raid someones home, simply chalking one up to the war on drugs?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: