Home>Blog>The Hacker News Headlines>Do You Have Ransomware Insurance? Look at the Fine Print
The Hacker News Headlines

Do You Have Ransomware Insurance? Look at the Fine Print

Ransomware Insurance

Insurance exists to protect the insured party against
catastrophe, but the insurer needs protection so that its policies
are not abused – and that’s where the fine print comes in. However,
in the case of ransomware insurance, the fine print is becoming
contentious and arguably undermining the usefulness of ransomware
insurance.

In this article, we’ll outline why, particularly given the
current climate, war exclusion clauses are increasingly rendering
ransomware insurance of reduced value – and why your organization
should focus on protecting itself instead.

What is ransomware insurance

In recent years, ransomware insurance has grown as a product
field because organizations are trying to buy protection against
the catastrophic effects of a successful ransomware attack. Why try
to buy insurance? Well, a single, successful attack can just about
wipe out a large organization, or lead to crippling costs –
NotPetya alone led to a total of $10bn in
damages[1].

Ransomware attacks are notoriously difficult to protect against
completely. Like any other potentially catastrophic event, insurers
stepped in to offer an insurance product. In exchange for a
premium, insurers promise to cover many of the damages resulting
from a ransomware attack.

Depending on the policy, a ransomware policy could cover loss of
income if the attack disrupts operations, or loss of valuable data,
if data is erased due to the ransomware event. A policy may also
cover you for extortion – in others, it will refund the ransom
demanded by the criminal.

The exact payout and terms will of course be defined in the
policy document, also called the “fine print.” Critically, fine
print also contains exclusions, in other words
circumstances under which the policy won’t pay out. And therein
lies the problem.

What’s the issue with fine print?

It’s understandable that insurers need to protect their premium
pools against abuse. After all, it’s easy for an actor to sign up
for insurance not because they are seeking protection, but because
they already have a claim in mind.

Fine print isn’t necessarily a bad thing, it’s a way for both
parties to define the terms of the agreement so that everyone knows
what’s expected, and what they’re entitled to. Within ransomware
insurance, the fine print would make some reasonable requests.

For example, your policy will require you to make minimum
efforts to protect your workload against ransomware. After all,
it’s reasonable to expect that you take precautions around an
attack. Similarly, you will probably find a notification clause in
your contract that requires you to notify your insurer about the
attack within a minimum timeframe.

Another common exclusion is
war-related[2], where insurers retain
the right to refuse to pay out on a claim if the damage was as a
result of war, or war-like actions. It’s this fine print that is
currently causing concern, for three reasons.

The complexity of war exclusions

When one nation-state turns on another, cyberwarfare can be used
to inflict damage outside of the usual realm of war. Cyberwarfare
can be incredibly indiscriminate, the parties affected are not
necessarily government organizations – it could be a business
that’s caught in the crossfire.

Insurers have valid reason to try and exclude this massive level
of exposure. However, there are a couple of problems. Defining a
war is the first issue – when does an act of aggression qualify as
a war-related activity? Another difficulty is attribution because
cyber attackers generally try their best to disguise themselves –
it is uncommon for an attacker to openly declare their involvement
in an attack.

When an organization suffers from a ransomware attack, how does
the insurer – or the claimant – prove that a specific organization
was behind an attack, and by consequence, what the motivation for
the attack was – e.g. war? How do you find out at all? Finding hard
proof or indeed any proof behind attribution is very
challenging.

Just think back to how many times ransomware attacks are said to
be perpetrated by “<insert state name here> groups”. It
doesn’t (shouldn’t?) mean state-sponsored actors are behind the
attack but it’s often so hard to pinpoint the origin of the attack
that any actor is to blame and it’s usually very hard or even
impossible to prove otherwise.

And here’s the thing. Claims under ransomware insurance won’t be
small – ransom demands are commonly in the millions, while damages
could be as much as a billion dollars. Out of understandable
self-interest, insurance companies will try to find any grounds
possible to refuse to pay a claim.

It’s no wonder then that these claims are commonly contested –
in court.

It may just end up in court

When there’s a disagreement about an insurance claim, the
claimant would typically turn to the courts. The outcome of these
cases are uncertain and it can take a long time to find a
resolution. One example is Merck’s case against Ace American
insurance. The case referred to the NotPetya attack where in June
2017 Merck suffered a major intrusion which it took months to
recover from, and which the company estimated cost it USD
1.4bn.

However, when the company tried to claim on its USD 1.75bn
“all-risk” insurance policy, Ace American initially refused to pay
the claim, arguing that it was subject to an “Acts of War”
exclusion clause. It based this claim on the fact that NotPetya was
deployed by the Russian government in an act of war against
Ukraine.

The claim ended up on court a short while later, but it took
over three years for the court to come to a decision – ruling in
Merck’s favor on this occasion, stating that Ace American, like
many other insurers, has not sufficiently changed the wording in
its policy exclusions to ensure that the insured – Merck – fully
understood that a cyberattack launched in the context of an act of
war would mean that the policy coverage is not valid.

Protecting yourself is your first priority

The insurance industry knows, of course, that there is a lack of
clarity. In a recent major step the Lloyd’s Market Association, a
membership network of the influential Lloyds of London marketplace,
published a set of clauses[3]
that its members could include in the terms and conditions of cyber
insurance products.

These clauses would supposedly make a better effort at excluding
war-related cybersecurity breaches. But, again, there may be some
points of contention – with attribution being the biggest
concern.

That said, there’s an increasing likelihood that any ransomware
insurance you subscribe to may not pay out when you need it most –
particularly when taking today’s heightened global security
environment into account.

It doesn’t mean that cybersecurity insurance has no role to
play, depending on the premiums and level of cover it may well be
an option. But it’s an option of last resort: your own, internal
efforts to protect your IT assets from attack remains your first
line of defense – and your best bet.

The best insurance: a firm cybersecurity posture

As mentioned before, any ransomware insurance policy will have
minimum cybersecurity requirements in place – conditions you need
to meet to ensure your policy pays out. This might include things
like regular, reliable backups as well threat monitoring.

We’d like to suggest that you go further and truly maximize the
protection you put in place across your technology estate. Get in
place additional layers of protection, specifically a live,
rebootless patching[4]
mechanisms like TuxCare’s KernelCare Enterprise[5], or Extended Lifecycle support[6] for older systems that
are no longer officially supported. Doing so helps address the
issue.

No solution can provide you with airtight security, but it can
help you towards a goal of reducing risk windows to the absolute
minimum which is as close as you can get. Taking the maximum
actions in terms of protecting your systems will help ensure that
you avoid a situation where you get an unpleasant surprise: like
finding out that your insurance is not covering your data loss.

So yes, by all means, take out insurance to cover you as a last
resort. But ensure you do everything you can to protect your system
using all available tools.

References

  1. ^
    NotPetya
    alone led to a total of $10bn in damages
    (www.wired.com)
  2. ^
    Another
    common exclusion is war-related
    (www.investopedia.com)
  3. ^
    set of
    clauses     (www.lmalloyds.com)
  4. ^
    rebootless patching
    (tuxcare.com)
  5. ^
    TuxCare’s KernelCare Enterprise
    (tuxcare.com)
  6. ^
    Extended
    Lifecycle support     (tuxcare.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.