Tag Archives: insurance

Lloyd’s Tries to Define Acts of Cyberwar

Or at least standardized policy language on the subject.

Cyber insurance policies have always had language excluding “hostile and warlike actions”, whatever the hell that means. What it means is full employment for lawyers. And a long time before you get paid.

The Lloyd’s Market Association, the syndicate that drives Lloyd’s backed policies, has created four model clauses to replace that vague and outdated language.

Lloyd’s Market Association offered four model clauses that could be used in whole or part in insurance policies, offering a range of different coverages for state activity. In the broadest sense, they cover operations carried out during war, states retaliating for other cyber activity, or for cyber operations that impact national or homeland security as a whole. The least restrictive language carves out an exemption for that last clause when the operation is against a system covered by the insurance policy; more restrictive wordings do not.

As a major insurer lifts the fog of cyberwar coverage, new definitions emerge | SC Media (scmagazine.com)

At least one piece of good news exists – the burden in the new Lloyd’s wording is placed on the insurer to prove the attack was a state action.

What is unclear at this point is whether this means that insurance companies will be more aggressive about enforcing that language. That will be the biggest question with the new wording.

This is on top of the rising insurance prices and declining coverage maximums that many companies are seeing when they renew their policies.

Reuters reported that Lloyd’s had “discouraged its 100-odd syndicate members from taking on cyber business next year”. LMA’s underwriting director says that it makes no sense for syndicate members with a good track record to refrain from writing new business. In fact, he said, he anticipated their business going up in 2022.

All that being said, the market has to change.

What we are seeing is the underwriting conditions getting more strict. Many clients are telling us that their underwriter is requiring very specific security measures like MFA on all systems or a certain kind of endpoint protection. ASSUME THAT IS GOING TO CONTINUE.

Moody’s just invested a quarter billion dollars in Bitsight, a company who creates security scores for businesses. My suspicion is that once this investment is complete, expect the result to be factored into your Moody’s risk rating. Bitsight and its competitors already work with multiple insurance carriers to score prospects. If your score is too low, you will not get insurance. Period.

This means that if companies do not want to be self insured, they are going to have to increase their investment in protecting themselves. It is going to be forced on you by the insurance carriers, state laws and industry regulators. Credit: SC Magazine and Threatpost

Security News for the Week Ending June 25, 2021

Paying Ransom is Tax Deductible

Under current IRS regulations, paying cyber ransom after a hack is deductible, just like losses from a robbery, but the IRS is “looking into it”. One way the government could discourage ransom payments is if the cost is borne fully by the company’s owners. They still might choose to do it, but at least the taxpayers would not be subsidizing it. Of course, if your insurance pays for or reimburses you for the ransom, then that ransom is not deductible. Credit: AP

How Much Does YOUR Board Know About Cybersecurity Issues

As I reported last week, the SEC fined First American Financial a half million dollars for the data leak they had. The fine was based on the fact that an internal security team discovered the problem that was reported to the SEC several months later, no one bothered to tell FirstAm executives about the issue. The moral of the story is that the SEC is “suggesting” that you keep your business leaders informed about cybersecurity issues. If the SEC does that, assume that your insurance provider will follow suit soon and deny coverage if your executives are not kept in the loop. Credit: Reuters

How Long Does It Take to Fix Critical Vulnerabilities

According to White Hat Security, the average time to fix a CRITICAL vulnerability in May 2021 was 205 days, up from 201 days in April. The water utility sector was the least prepared. 66% of all applications used by the sector had at least one exploitable vulnerability open throughout the year. Even in finance, 40% of the applications had a window of exposure of 365 days, but 30% had a WoE of fewer than 30 days. Given stats like these, it is not surprising that the hackers are winning. Credit: ZDNet

Cyber Breach Insurance Market Set for a Reckoning

Cyber insurance claims spiked this year. Standalone claim payouts jumped from $145,000 in 2019 to $358,000 in 2020. A key metric the industry uses is something called direct loss plus defense and cost containment ratio. It skyrocketed last year to 73% from 42% the previous five years. At 73%, when you add in other costs, that means the industry is probably losing money. This means that premiums will go up, coverage will go down and limits and sublimits will be changing. If you have cyber risk insurance, prepare for changes. Credit: The Record

How Long Does it Take a Misconfigured Container to be Attacked?

Containers are great, but they are not bullet proof. Aqua Security says that based on data they have collected over 6 months, 50% of Docker APIs are attacked by botnets within 56 minutes of being set up.

It takes five hours on average for a new honeypot container to get scanned. The fastest happened in a few minutes. The longest was 24 hours. None of these numbers are very long.

What this means is that you need up your game when it comes to securing your cloud based systems. If you can, set them up in a contained environment (that is not publicly accessible) and harden it before exposing it. Credit: SC Magazine

Security News for the Week Ending December 18, 2020

Data from employment firm Automation Personnel Services Leaked

Automation Personnel Services, a provider of temporary employment services, found 440 gigabytes of their data leaked on the dark web. The poster says that it includes payroll, accounting and legal documents.

The data was leaked because the company refused to pay the ransom.

When asked if the data was genuine, the company only said that they are working with forensics firms and are improving their security. Credit: Cybernews

Are Hospitals Protecting Your Data?

The Register is reporting that two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

To make matters worse, apparently hackers had been there before the researchers and left all kinds of malware behind. Will anyone get in trouble over this? Probably not. Credit: The Register

Ya Know Those Smart TVs? Maybe Not So Smart to Use?

Ponder this. Most TVs are made in China. Smart TVs connect to the Internet. There is Internet in China. China makes the chips that go into those TVs. And the software that goes into those chips. The executives for at least some of those companies have a documented connection to the Chinese government and/or military. China might be very interested in hearing what goes on in everyone’s living room. And bedroom. Including your kids’ bedroom. Some smart TVs have cameras in addition to microphones. Connect the dots; I am not allowed to. Credit: US Department of Homeland Security

Ransomware Attacks on the Rise and Insurers React

As ransomware attacks increased this year – both in terms of cost and severity, insurers are becoming more selective and some are scaling back their coverage. Total costs of ransom payments doubled between 1H2019 and 1H2020, but that might change going forward now that the feds are threatening to throw people in jail if they pay ransoms to terrorists. This means that some premiums are going up and some carriers are even getting out of the cyber risk insurance business. Credit: Reuters

Security news for the Week Ending September 20, 2019

A New Trend?  Insurers Offering Consumers Ransomware Coverage

In what may be a new trend, Mercury Insurance is now offering individuals $50,000 of ransomware insurance in case your cat videos get encrypted.  The good news is that the insurance may help you get your data back in case of an attack.  The bad news is that  it will likely encourage hackers to go back to hacking consumers.  Source: The Register.

Security or Convenience Even Applies to Espionage

A story is coming out now that as far back as 2010  the Russians were trying to compromise US law enforcement (AKA the FBI) by spying on the spies.

The FBI was tracking what Russian agents were doing but because the FBI opted for small, light but not very secure communications gear, the Russians were able crack the encryption and listed in to us listening in to them.  We did finally expel some Russian spy/diplomats during Obama’s presidency, but not before they did damage.  Source: Yahoo

And Continuing the Spy Game – China Vs. Australia

Continuing the story of the spy game,  Australia is now blaming China for hacking their Parliament and their three largest political parties just before the elections earlier this year (sound familiar?  Replace China with Russia and Australia with United States).

Australia wants to keep the results of the investigation secret because it is more important to them not to offend a trade partner than to have honest elections (sound familiar?).  Source: ITNews .

The US Government is Suing Edward Snowden

If you think it is because he released all those secret documents, you’d be wrong.

It is because he published a book and part of the agreement that you sign if you go to work for the NSA or CIA is an agreement that you can’t publish a book without first letting them redact whatever they might want to hide.  He didn’t do that.

Note that they are not suing to stop the publication of the book – first because that has interesting First Amendment issues that the government might lose and they certainly do not want to set that precedent and secondly, because he could self publish on the net in a country – like say Russia – that would likely flip off the US if we told Putin to shut him down.  No, they just want any money he would get. Source: The Hacker News.

 

HP Printers Phone Home – Oh My!

An IT guy who was setting up an HP printer for a family member actually read all those agreements that everyone clicks on and here is what they said.

by agreeing to HP’s “automatic data collection” settings, you allow the company to acquire:

… product usage data such as pages printed, print mode, media used, ink or toner brand, file type printed (.pdf, .jpg, etc.), application used for printing (Word, Excel, Adobe Photoshop, etc.), file size, time stamp, and usage and status of other printer supplies…

… information about your computer, printer and/or device such as operating system, firmware, amount of memory, region, language, time zone, model number, first start date, age of device, device manufacture date, browser version, device manufacturer, connection port, warranty status, unique device identifiers, advertising identifiers and additional technical information that varies by product…

That seems like a lot of information that I don’t particularly want to share with a third party that is going to do who knows what with it.  Source: The Register.

Private Database of 9 Billion License Plate Events Available at a Click

Repo men – err, people – are always looking for cars that they need to repo.  So the created a tool.  Once they had that, they figured they might as well make some money off it.

As they tool around town, they record all the license plates that they can and upload the plate, photo, date, time and location to a database that currently has 9 billion records.

Then they sell that data to anyone who’s check will clear.  Want to know where your spouse is?  That will cost $20.  Want to get an alert any time they see the plate?  That costs $70.  Source: Vice.

Election Commission Says That It Won’t Decertify Voting Machines Running Windows 7

Come January 2020, for voting machines running Windows 7 (which is a whole lot of them) will no longer get security patches unless the city or county pays extra ($50 per computer in the first year and then $100 per computer in the second year) for each old computer.  Likely this means a whole lot of voting machines won’t get any more patches next year.

The nice folks in Washington would not certify a voting machine running an operating system that is not supported, but they won’t decertify one.  That, they say, would be inconvenient for manufacturers and cities.   I guess it is not so inconvenient for foreign nations to corrupt our elections.  Source: Cyberscoop

Do You Have Cyber-Risk Insurance? Enough?

A recent study estimates that a coordinated global cyber attack (think Wannacry, but not geographically bounded) could cause economic damages of between $85 billion and $193 billion.

The investigation was conducted by Lloyds of London and Aon Insurance as a “stress test” of the industry.

Claims would likely include everything from business interruption to incident response costs.

Total claims estimated to be paid by the insurance companies range from $10 billion to $27 billion.

That means that industry is on the hook for between $75 billion and $166 billion.

That is going to come out of victim companies’ checkbooks.

Are you ready to write a check for $166 billion?  How about $75 billion?

They estimate the biggest losses would be in retail, healthcare, manufacturing and banking.

Countries that are more service oriented – like the United States – would suffer more damage and have higher losses.

So there are a couple of questions –

  1. Do you have cyber insurance?
  2. Do you have enough cyber insurance?
  3. Can you make up the loss shortfall out of your checkbook?

One last thought.  Are you sure that the coverage that you do have matches the risk that you are exposed to?  Given that every policy is different, you might want to look into that too.  We can help.

Information for this post came from Reuters,

Food Giant Mondelez Sues Its Insurance Company Over “Act of War”

Mondelez is the parent company of Nabisco, Oreo, Ritz and many other brands that are part of Kraft Foods.

Mondelez, like many other companies, was a victim of the NotPetya attack which turned 1,700 servers and 24,000  workstations at Mondelez into very expensive bricks.

Mondelez’ insurance company, Zurich American, denied the claim and hence the lawsuit, asking for  100 million dollars.

White House estimates of worldwide damage from NoyPetya, at the time, were around 10 billion dollars, so Mondelez is claiming one percent of the total worldwide damage, which seems a bit high, but that is not the point.

The Zurich American policy in questions offers this coverage:

“all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

It seems like this attack meets the requirements of this clause.

BUT, what insurance companies giveth, sometimes they taketh.

Zurich reviewed the claim and did what all insurance companies do – tried to figure out a way to reduce what they would have to pay out.

One survey said that companies collectively world wide could potentially claim $80 billion dollars in damages.

Zurich initially offered Mondelez $10 million to settle but then changed their mind.  Why?

Because of another clause in the policy.

There is a clause in their policy (and many others) that has an exclusion for  “hostile or warlike action in time of peace or war” by a “government or sovereign power.”   The key phrase here is BY a government or sovereign power.  Not hackers friendly to one.  Not hackers  mad at the world.  You get the idea.

Security experts and some governments blamed Russia for the attack.

Russia (of course) denied that claim.

So now, it would appear, it is up to Zurich to prove, based on a preponderance of evidence, that this (a) is a hostile or warlike action – a term that is likely not defined in the policy and for which a generally accepted definition has possibly never been adjudicated through the court system through appeals and (b) that it was done by “a government or foreign power”.  I don’t think it is sufficient to say “well the gov says it is”.

Either way this turns out – and we likely won’t know the final result for years – will have an impact on the insurance industry.  Possibly the two sides will agree out of court, leaving the question unanswered for future claims.

Likely the industry will change the terms of policies long before this is settled and large companies will negotiate terms with insurance carriers – which will affect premiums.

This apparently is NOT a common technique to  limit damages according to some sources and was probably precipitated by the size of the check that they might have to write.

Likely much of the data that could be used to prove Zurich’s stance in this case is classified by the U.S. or other governments.  Are those governments going to be willing to declassify that data for the benefit of one side of a civil lawsuit?  Not clear but stay tuned.  Source:  The Register .