Today’s nascent cyber insurance industry is largely unprepared to cover the type of damage than can be caused by the world’s best hackers. And the industry isn’t hiding it.
Though no two insurance plans tend to be quite the same, a rare commonality exists between a vast majority of current cyber insurance offerings: the policies exclude coverage in the case of a nation state hackers’ involvement.
“I reviewed 14 plans, which was the number I could find publicly available online. In those plans, 100 percent explicitly exclude acts of war and ‘warlike operations.’ Many of them also exclude acts of broadly defined foreign enemies, government actors and terrorism,” Robert Morgus, a policy analyst in New America’s international security program, told CyberScoop. Morgus recently completed a comprehensive research report focused on the cyber insurance market.
The stipulation spurs questions regarding how and who is responsible for attributing a specific data breach in the due process of an insurance claim — and whether accurate attribution is possible in the first place. If attribution was contested and no clause for resolution was written into the policy, the case would then go to court for settlement, cybersecurity insurance experts tell CyberScoop.
Generally speaking, liability exclusion details are difficult to study because most cyber insurance contracts are confidential in nature, said Morgus. Legal experts say there has yet to be a case where the insurance company or a breach victim have specifically challenged the attribution of an attack in court.
“It would be fair to say that a majority of currently available policies do exclude attacks attributable to a nation state or international crime syndicate,” said ECMB insurance broker Charlie Bernier, “[but] I never say anything is 100 percent … I can think of at least one policy off the top of my head that does not have an exclusion if/when an attack comes from” this vector.
Included in most cyber and other privacy insurance policies is the actual cost of a digital forensic investigation, explained Bernier. Usually, under most plans, it is the insurance company who pays for the forensic investigation on behalf of the insured. The forensic company will typically work under the attorneys representing the insured, Bernier said, independent of the insurance firm.
Because the fledgling cyber insurance marketplace is still developing, Bernier also believes most insurance companies would avoid a messy legal battle over attribution with a client as it could negatively impact the larger market at scale.
But a clear lack of precedent concerning cyber policy case law has left more questions than answers. Just one court ruling to date has focused strictly on cyber insurance: P.F. Chang’s China Bistro Inc. v. Federal Insurance Co.
In the P.F. Chang’s case, the Secret Service was the first to notice that 60,000 credit cards belonging to P.F. Chang customers had publicly surfaced online. In the span of three days, fraudsters charged $1.9 million to the cards. A court ultimately ruled that P.F. Chang was liable for the credit card charges, insurance would not cover that specific damage. The case did not include any discussions regarding attribution. The ruling is currently being appealed.
While the P.F. Chang’s case may be a direct example, nearly every conversation about the industry includes some mention of the 2014 Sony data breach, said Morgus.
The Sony incident showcases the intersection between an attributable nation-state attack and an activated insurance policy that includes cyber-related liability protections. However, it remains unclear if any of Sony’s multiple insurance plans — brokered by Marsh and consisting of $60 million worth of coverage via Brit Insurance, Liberty International Underwriters, Beazley and other carriers — carried a nation-state exclusion.
Spokespeople for Sony did not respond to CyberScoop’s multiple requests for comment. Marsh declined to comment.
Sony Pictures’ chief executive Michael Lynton previously said the costs associated with the cyberattack “will be completely covered by insurance and will not mean any more cost-cutting after a few years of painful restructuring,” according to Reuters.
“I have not seen this nation-state exclusion impede the cyber market’s growth in any way. No customers I have spoken to have focused on the exclusion,” said Bernier, “the FBI, however, has focused on this exclusion and they may be the ones putting pressure on the insurance carriers to remove the exclusion for public policy reasons.”