Enterprise security teams and cyber insurance companies have historically played a cat and mouse game with the insurance companies trying to do whatever they can to limit what they have to pay.
In the last few years, many of the largest cybersecurity companies have insisted on a very stringent list of security defenses that enterprises must prove they have before they are even allowed to discuss signing up for coverage.
The latest wrinkle comes from one of the planet’s largest cyber insurance companies. This insurer is trying to exclude any nation state attacks from coverage, a move quite likely to be replicated by other major insurers.
This particular insurance company “remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber related business continues to be an evolving risk. If not managed properly, it has the potential to expose the market to systemic risks that syndicates could struggle to manage,” the insurer’s underwriting director wrote in an Aug. 16 (2022) market bulletin. “In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.”
The underwriting director then said that it is now requiring “a suitable clause excluding liability for losses arising from any state backed cyber-attack.”
There are several problems with this approach. First, it is almost impossible to prove that an attack was indeed a nation state attack. Not only do large scale attacks obfuscate their point of origin in many different ways, but even legitimate nation state attacks typically use third-party cyber attackers, who also engage in their own private attacks. Even if one was somehow able to prove that an attacker who often works for perhaps China or North Korea or Russia was the culprit, how could it possibly be proven whether the attacker did it for their own purposes or whether they did it on behalf of a government client.
There is some good news, at least as far as this insurer is concerned. They have published sample language of such an exclusion. The most encouraging line: “The insurer shall have the burden of proving that this exclusion applies.”
That is critical. Given how difficult proving that an attack is a state-based attack, the fact that they are assuming the burden of proof is a massive gift to enterprises.
Secondly, the sample wording says that the first factual reliance is based on law enforcement attributing the attack to a nation state. “The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state–including its intelligence and security services–in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.”
In short, this means that if the FBI publicly declares that the attack is a nation-state attack, this insurer will have cover to deny coverage. For the enterprise CISO, this means working closely with law enforcement and insisting that they publicly share any guesses or suspicions but limit their comments to what can be proven in a U.S. court.
Why a U.S. court? Because if a random FBI comment causes the enterprise to lose millions of dollars’ worth of insurance compensation, they need to know that they will have to defend that conclusion in court.
The insurer also made clear that it is on the investigative hook to prove whether or not it was a cyberattack if law enforcement doesn’t.
“In the event that the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located either takes an unreasonable length of time to or declares it is unable to attribute the cyber operation to another state or those acting on its behalf, it shall be for the insurer to prove attribution by reference to such other evidence as is available.”
Dare I say, but this is a wee bit of this insurer trying to have its cyber-liability cake and eat it, too. They are saying that they will rely on law-enforcement investigating and concluding where the attack came from. But if law enforcement doesn’t say or if it says that it was not a state attack, then they will just ignore that and try and prove attribution some other way.
There is, however, a far bigger problem with this kind of exclusion. State attacks are becoming common. For a cyber insurance company to exclude a state attack from coverage is akin to a health insurance policy excluding coverage for broken bones.
This insurer is trying to associate their state-actor-exclusion with the common insurance exclusion of war. But the two concepts couldn’t be any further apart. The war exclusion was designed to exclude coverage of another country–where an actual declaration of war has been issued–from bombing the insured. That is rare enough and foreseeable enough to merit exclusion pending a custom-written supplement.
But nation-state attacks are becoming common and, more to the point, that is precisely the kind of high-level attack that cyber insurance was created to cover. If North Korea wants to shut down Wall Street for a day and attacks the largest financial players to do so, why is that a reasonable insurance exclusion?
Let’s get back to how most state cyberattacks happen. They typically have a group of experienced cyber attackers that they contract for various attacks. These attackers are rarely on the salary of those governments and, critically, they also mount attacks against people and companies for their own benefit.
Courtesy of the actual government projects, they will often have the money to purchase high-end systems–including banks of systems–to facilitate massive attacks. In other words, the state finances their infrastructure to enable them to do their bidding. Therefore, just because the same people that were involved in an attack from, let’s say, Russia a month ago and involved in this attack, that doesn’t necessarily mean it’s an attack from Russia. The freelance cyberterrorists could be doing this particular attack on their own.
Shy of getting a sworn deposition from the freelance attacker clarifying the matter–yeah, that’s not happening–it’s nearly impossible to positively determine if it was a state attack.
