Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses Government The Courts

Is Cyberwarfare War? Insurers Balk At Paying For Some Cyberattacks (thebulletin.org) 81

From the Bulletin of the Atomic Scientists: In an era of unceasing cyberattacks, including cases of state-sponsored hacking, insurance companies are beginning to re-interpret an old line in their contracts known as the "war exclusion." Stripping away the metaphorical connotation of the term "cyberwarfare," big insurers like Zurich Insurance have decided that state-sponsored attacks are basically just plain warfare.

This shift comes as the U.S. government is increasingly attributing state-sponsored cyberattacks to their alleged perpetrators, a development that some argue is a means of holding bad actors accountable. But the policy certainly doesn't seem to be doing any favors to the private sector.

The maker of Oreo cookies was hit by 2017's "NotPetya" attack, but its insurer refused to cover its $100 million in losses, citing an exclusion for "hostile or warlike action in time of peace or war...by any government or sovereign power." Oreo called their response "unprecedented," saying the war exclusion has always been applied only to "conventional armed conflict" -- and not to cyber-attacks.

Slashdot reader Lasrick argues that an insurance company win in court "could make cyberwar much more real -- and costly."
This discussion has been archived. No new comments can be posted.

Is Cyberwarfare War? Insurers Balk At Paying For Some Cyberattacks

Comments Filter:
  • by FudRucker ( 866063 ) on Saturday April 27, 2019 @05:35PM (#58502406)
    it needs medical marijuana to calm its nerves and to help it sleep, please send a OZ every month
  • Good (Score:4, Insightful)

    by Anonymous Coward on Saturday April 27, 2019 @05:39PM (#58502430)

    The last thing we need are companies with shit security being able to recover losses from insurance companies. That just shifts the risk and penalty from decades long choices from their IT staff who no doubt warned them about a lot things they were doing horribly wrong. I just wish they'd start fining more companies for data breaches.

    • by Anonymous Coward

      If I were an insurer I would laugh at claims. Some of the claims are so obviously a scheme, legal or not, that qualify as insurance fraud. Insurance investigators are the best in the business and you would be fooling yourself if you think you can put anything over on an insurance company. Insurance companies probably have better surveillance than the NSA.

      • If I were an insurer I would laugh at claims.

        The industry has tried that endless times, and the end result is courts. And lawyers. And big insurance payouts on top of the legal fees.

        That's why, if you were an insurer, you would usually just pay claims.

        The real point here in this story is that if you're a company with an insurance policy that might cover some sort of electronic attack on your business, and that sort of attack happens, do not, I repeat, do not blame the attack on a sovereign power. Even if it makes your IT team look less bad. When rep

        • by sfcat ( 872532 )

          If I were an insurer I would laugh at claims.

          The industry has tried that endless times, and the end result is courts. And lawyers. And big insurance payouts on top of the legal fees.

          That's why, if you were an insurer, you would usually just pay claims.

          The real point here in this story is that if you're a company with an insurance policy that might cover some sort of electronic attack on your business, and that sort of attack happens, do not, I repeat, do not blame the attack on a sovereign power. Even if it makes your IT team look less bad. When reporters ask questions about if [some sovereign power] was responsible, say no; say it was clearly a criminal act undertaken by a group of bad actors.

          They're never going to prove that some country was officially responsible; however they might easily prove that you already conceded that it was true.

          And of course if you didn't have that sort of insurance in the first place, then just say whatever you want, you're still Free. But, mind your security better next time.

          That was before insurers got smart and started writing computer security standards requirements into their policies. Now, all the insurance company has to do is prove that the insured didn't follow some security procedure and poof, no more claim. And the insurance companies have been winning on this one in court because there are obvious precedents for requiring certain real world practices (safety procedures, security policies, etc) to be followed in order to collect on a claim. So now the folks writing

    • Re: Good (Score:1, Insightful)

      by Anonymous Coward

      Usually the IT staff is shit at explaining the business risk of a cyber event. Some nerd yelling about hax0rs makes no impact, while a well defined business case explaining risk, the cost of a breach, and the cost of security makes all the difference.

      Source: 20 year plus Infosec pro who started out hand waving about hax0rs and eventually realized that everything is about financial risk

      • In my experience, in 25+ years of IT, when security is mentioned in a top brass powwow, the CEO walks out, says, "security has no ROI", and that is the end of the discussion. In my experience, most companies are better off financially by paying off fines as opposed to actually going with solid security practices.

        I have worked at a few companies who value security, where every process from the ground up was scrutinized for security vulnerabilities. However, those companies wind up getting bought out, and t

      • by rtb61 ( 674572 )

        Quite often IT staff are a little cadre of incompetence. Firing the too smart and the too stupid, apart from the new guy the need to blame for everything. Once festered like a tick into the IT department, bad managers are hard to get rid of and often do quite bad things on the way out.

        The insurance companies are screwed though, they can claim war and try to fight it off in court for as long as possible (the interest on keeping the money is less than legal fees and keep it going for as long as possible) but

    • The last thing we need are companies with shit security being able to recover losses from insurance companies.

      Insurance companies don't just hand out money. They often do training and audits for best practices. This reduces claims by avoiding accidents and improving security.

    • by schwit1 ( 797399 )

      Why would an insurance company insure a company that has shit security? Could you realistically get fire insurance if your building was not up to fire code?

      The insurance company would mandate compliance audits, and require a post intrusion investigation to ensure compliance existed at the time of the breakin.

      • Exactly. What is happening here is not good but bad: it’s insurance companies having found yet another way to weasel out of having to pay a claim. Plenty of companies need better security practices, but the right way to go about fixing that isn’t saying: “We might randomly deny your claim so better make sure you do not have to claim in the first place”.
  • I bet all new insurance contracts have very specifically worded clauses explicitly including coverage for cyberwarfare.
  • Cyberwar, huh, yeah
    What is it good for
    Absolutely nothing
    Cyberwar, huh, yeah
    What is it good for
    Absolutely nothing
    Say it again, why'all

    Alternate reply: Make cyberlove, not cyberwar.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Saturday April 27, 2019 @06:18PM (#58502550)

    War is large organised amounts of people trying to kill each other over some larger cause concerning one group/nation against another. "Cyberwar" is a bullshit term.

    • War is large organised amounts of people trying to kill each other over some larger cause concerning one group/nation against another. "Cyberwar" is a bullshit term.

      If your military flies an airplane into a neighboring country and bombs a weapons depot, or power plant, and nobody is killed, it is still an act of war.

      If your military does [blah blah blah] with a computer, causing a weapons depot in a neighboring country to explode, nobody cares about your cyber-blah-blah, it is equally an act of war.

      Judges don't care if you try to re-define a word. When you say "that word means [blah blah blah]," the Judge first looks at where you're saying the meaning comes from; are y

      • So a foreign military attacked a cookie factory?

        As a critical blow to America's flabby underbelly?

        Riiiight.

        • So a foreign military attacked a cookie factory?

          As a critical blow to America's flabby underbelly?

          Riiiight.

          If you think you can reduce the scope of the losses by making a fat joke, you'd be a crap lawyer.

    • von Clausewitz, On War: War is the continuation of Diplomacy by other means. Peace is that state which exists before Nations know who they want to invade, or the time during which they are preparing to do so.
    • by AmiMoJo ( 196126 )

      That hasn't been true for a long time, if ever. A single person ordered by the government of a nation to kill one other person (e.g. assassinate a key target) or damage some bit of infrastructure can be an act of war.

  • by sjames ( 1099 ) on Saturday April 27, 2019 @06:19PM (#58502556) Homepage Journal

    I'm pretty sure insurance companies aren't the appropriate entity to decide when something is an act of war.

  • They're nothing but leeches. They take and take and take, and offer nothing in return.

    If these companies are claiming cyberattacks are acts of war, then they should be required to point to the Congressional declaration of war.

    If they can't, they should shut up and do what they've been paid to do: provide coverage to companies who experience loss.

  • It will be interesting to see an insurance company positively prove that an attack came from a national actor.

    And how is an attack on an individual business an act of war?

    • It will be interesting to see an insurance company positively prove that an attack came from a national actor.

      You won't ever see them try.

      What you will see them try to prove is that the client already admitted that the sovereign actor was the most likely suspect, and that such a belief was reasonable.

      The standard of "proof" is a preponderance of evidence. If the other party already agreed who was likely responsible, and that is the only evidence presented, it meets the standard. This is why many lawyers repeat the phrase "don't admit fault." In this case it is not only your own fault you don't want to admit!

      And how is an attack on an individual business an act of war?

      Well, o

      • Ok, so if the courts agree it's an act of war, does that mean than anyone waging such war is an enemy combatant, with all the legal implications, e.g. killing an enemy combatant while they are attacking you is not murder, and they don't have to be actually shooting you, they could be trying to sabotage a bridge, or your computer network - war is war, right?

        • No.

          That's just another thing that has nothing to do with the case and the Judge won't even consider it. Those words are all already defined. You're playing Keyword Bingo and presuming it is Law.

  • it is incredibly stupid to create the mindset that "cyber-attacks" are "warfare". The Geneva Convention is very clear: a deadly attack by ANY citizen of one nation against another, regardless of the physical location of either citizen at the time of the attack, may be interpreted as an ACT OF WAR.

    An Act of War permits all and any citizens of the nation being attacked - to immediately take up arms and respond with deadly force against all and any citizens and sovereign assets of the aggressor nation. there

    • Probably the US courts will just make up their own definition of the term and create a legal doctrine - just like the Supreme Court did with "qualified immunity" for police and federal agents. Such as: a computer-based hostile act against an entity by a national actor. This would be determined with the "preponderance of the evidence" evidentiary standard as it would be a civil, not criminal case. The aggrieved party would need to establish actual damages. So dueling expert witnesses and dodgy quotes from t

    • You are absolutely right. Nothing that happens in cyberspace has any impact IRL ever.

      The Iranian nuclear enrichment project was not impacted in any way by the malware that got into the system.

      The incredibly unsecured software that controls our infrastructure will never be a target of bad actors, and if it was all the IRL machinery it controls would operate perfectly when deliberately bad software takes over.

      And no Boeing 737 Max ever fell out of the sky because of a software involved failure. None of tho

  • Insurance revolves around rating.
    You assign a probability to each risk, and you aggregate the insureds into a pool that is big enough that you get the statistically expected losses in that pool. Then you set the premiums to cover those losses, plus a profit.

    Cyberattacks don't work that way.
    Everything is going along fine, no losses, and then BOOM! every computer in Europe is pwned within 24 hours, and you're on the hook for ALL the losses. Once the insurance companies realize this, they are going to stop ins

    • I don't think this is special "cyberinsurance," just a general insurance policy.

      So there is no market that will vanish, and no policies that will go unsold; they'll simply stop covering this cause of loss.

  • Wow, insurers are going to get a shock when they start using this against some of the bigger players and be asked in court to prove that a "state sponsored attack" was, indeed, sponsored by a state.
  • The agreement between a policy holder and an insurance company is a contract. There's no law that says they have to cover "cyberwar," whether or not it constitutes "war." The only question is, what did the parties agree to?

    Now, if insurance companies are retroactively deciding that cyberwar is "war," that could well be a breach of contract. But if they are deciding to drop coverage for "cyberwar" in new policies, there's no problem. If you want coverage, you can ask for a rider to be added to your policy, w

  • for a little bit more extra you can get insured against cyberwarfare loses too!

  • The amounts of damages due to 'hacking' are the sum of all the crap an organization can blame on a party who isn't there to defend themselves.

    Why can't you be held accountable for your failure? Damn hackers.

    You'd have to be nuts to insure that.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...