Cyber Insurance – Will It Pay Off

While insurance clearly has its place, in an immature market such as cyber, with its vague and often ill-defined threats, it’s also a minefield of small print. IT security expert Jay Abbott attempts to pick his way through

More and more, when I meet a prospective client, their opening standpoint for our discussion is “I have insurance that covers that”. This position is precarious at best. To explain why, I’m going to quote from a couple of freely available policies. I would at this point like to say I am not a lawyer, nor have I had legal training, but I do know the problem, and the industry.

The “good” one is a policy from the US that’s been around for a few years and has become quite mature as a result. It’s also very expensive. The “bad” one is reasonably new from a UK insurer that you will have heard of. It’s a cheap, off-the-shelf product, bundled with other typical business insurance policies.

The “good” policy…

This does have a very good, broad definition of what IS covered, and includes cover for many attacks you would likely be exposed to. However:

“The Company will only indemnify the Insured in respect of losses where there is clear evidence that they resulted from an insured event. The Insured is obliged to provide the necessary proof.”

Pure genius. Why? Quite simply, the organisations most likely to take up a policy such as this would not be using it to complement a solid approach to security, but instead to avoid having to spend money on security. As a result, it’s highly unlikely that the company would have the necessary intelligence logging or system information required to meet this clause. Even if the organisation had implemented some basic logging, the insurance company could argue that it is not “clear evidence”. Unless you have a solid chain of evidence showing a step by step attack structure leading to a loss event, you’re going to end up in an argument with your insurer. This policy goes on to state some key responsibilities that the insured company would have to ensure for the policy to be valid. One is that: “the Insured’s IT security policies are fit for purpose/complies with industry best practice”

It’s buried in the small print, and while it may sound like a harmless statement, what exactly is “industry best practice” and how do you know you have attained it? And at what point does your insurance company agree that your security is “fit for purpose” and that you are covered? Unfortunately, statements like this give the company yet another exit strategy. As previouly mentioned, the people most likely to buy this insurance policy consider it a solution to the problem of being secure – a complete “risk transference” strategy so that they do not have to invest in the actual process of being secure. This approach could actually lead to the policy being void.
The icing on the cake is a clause that essentially states that they will not cover any deliberate acts of an employee. Most security surveys will tell you that the “insider threat” is the number one most common form of attack. So, the “good” policy actually doesn’t cover the most likely form of attack, would be very hard to invoke and still requires you to spend a significant amount of your budget on security.

The “bad” policy…

This is just unreal, but I can guarantee that quite a few people are currently relying on it for a peaceful night’s sleep. According to this policy’s definitions, a “hacker” must be external to your organisation and targeting your website (further defined to include your intranet or extranet). This is further backed up by a definition of what a hacker is not:

“any director or partner of yours or any sub- contractor, self-employed freelancer or third party on your premises without permission;”

So this makes sure that hackers can’t be anyone you have had dealings with who have gained unauthorised access to your premises – which actually, is a pretty common form of attack.
It goes on to state that a hacker is not someone that gains access to your computer systems and networks, or someone that has got hold of a password or other authentication device, even though most breaches that are going to cause you serious issues are going to be targeted at your computer systems and networks not your public website. Equally, most attacks will go after valid credentials of users via desktop/laptop/personal computer devices – known as “client side attacks” – and use these to gain easy access to data. According to statements so far, this policy is only good for protecting your website from defacement, but is sold as a complete “e” risk policy.

A string of contradictions then arises, demonstrating that whoever wrote it doesn’t understand the issues:

“If during the period of insurance, your business suffers a loss arising from: damage to your computer system or website as a result of a computer virus, worm, logic bomb or Trojan horse, we will pay to repair your computer system or website and restore your data”

What complicates this is that a “hacker” would probably make use of exactly these tools during their attack. In the next section it contradicts itself again:

“We will not make any payment for any claim or loss directly or indirectly due to: any self-replicating, malicious code that was not specifically targeted to your system.”

The problem? “Self-replicating, malicious code” is the very definition of a “worm” that in the prior section was defined as covered. It gets worse – but the contradictions alone should give one cause for scepticism.

TO SUM UP…

1.You really do need to read the small print to make sure your actually getting some relevant and useful cover for your business.
2.The good policies will require you to be secure to mitigate their likelihood of paying out, but, if you’re adequately approaching security from a verifiable perspective, you’re likely to be able to make a claim and use the policy to support you.
3.The bad policies are just that, very bad, they cover very little, and are pretty much a waste of money, and offer nothing more than a false sense of security.
4.You need to be able to detect an issue quickly and in sufficient detail to prove it to the insurer such that they will accept the claim.
5.You really need expert support and advice on the policy itself, as well as the approach to security, so consider the policy part of the approach, not the alternative to the approach

Jay Abbott is the Founder and Director of Advanced Security Consulting Limited (JustASC), a specialist business offering consulting and managed services, focused on improving the SME and mid-tier sectors ability to understand, and ultimately withstand inevitable cyber-attack – Contact: 08456 437 406