What To Do When Your Cyber Insurance Policy Doesn’t Cover You For A Critical Attack?

Dealing with the removal of cover of catastrophic nation-state attacks being insured will be a fresh challenge for most organisations but probably a relief to others.

Insurers have been searching for ways to strengthen the language used in their policies, especially after a New Jersey judge last year ruled in favour of Merck & Co. deciding it was entitled to payouts from its insurers after a 2017 cyberattack. Merck had been affected by the NotPetya virus, which it said ultimately cost $1.4 billion to recover from. The company’s property and casualty insurers initially denied the claims on the basis of war exclusions. In that case, the judge said Merck couldn’t reasonably be expected to know that war exclusions would apply to such an event, essentially declaring that a common acts-of-war exclusion doesn’t cover cyberattacks.

Due to this, there is a common belief that Cyber Insurance cover has been somewhat mis-sold and in the event of a breach the insurers have been more focused on proving an organisation’s fault and avoiding paying out than it has on assisting in remediation advice and support. Part of the reason why insurers are increasingly leery of covering state-backed cyberattacks is the vast economic damage they can cause

Cyber insurance policies help minimise the financial and business damage of these hacking attempts, covering costs related to data recovery or business disruption, but with Lloyds of London suggesting that these elements are to be removed from cover from March 2023 what alternatives do organisations have?

Cyber insurance protects against detrimental cyber attacks such as phishing, malware, ransomware, and hacking. Phishing is something threat actors designed to steal personal information via phone, text or email; often disguising themselves as someone credible and trustworthy and asking for personal information. Malware often arrives through suspicious emails, files, downloads or links and once the file has been opened, harmful software installs itself into the network and systems. This then allows threat actors to infiltrate the network and steal private data.

Ransomware infects the system and encrypts data, allowing the threat actor to hold it ransom and demand a fee to decrypt. Hacking is somewhat different from the others in the case that hacking can happen without any activity from the organisations. Threat actors and nefarious characters that are highly skilled can find vulnerabilities in an organisation’s system and gain unauthorised access to it.

Lloyd’s of London Ltd. has explained it will require its insurer groups globally to exclude catastrophic state-backed hacks from stand-alone cyber insurance policies starting next year. Lloyd’s is a marketplace where roughly 75 associations and groups of underwriters gather to provide insurance coverage for businesses, organisations, and individuals.

Their comments that the ability of nation-state-supported threat actors combined with the speed and efficiency of the attacks and their effects of them can “greatly exceed what the insurance market is able to absorb” is unsurprising.

It is a common insight that managed detection and response solutions will save the day however this is not ultimately the case. CVE scores must be interpreted and understood, and remediation of critical alerts can sometimes be a minefield and cause confusion.

Orpheus Cyber can carry out not just identifiable CVSS risk ratings but in addition an organisation’s Threat Risk. We assess threat actors and provide you with the knowledge you need to make informed actions within your organisation.

Third-party risk is a critical factor for organisations, at Orpheus Cyber we go beyond the generic point-in-time self-assessment questionnaires to identify the true cyber risk present in third parties and supply chains continuously. NIST summarise “Supply chain threat intelligence should seek out threats to the enterprise’s suppliers…The intelligence gathered enables enterprises to proactively identify and respond emanating from a supply chain.”

Adversaries are always actively targeting organisations’ third parties and supply chains, which is why it has never been more important to understand, monitor and manage this vital cyber risk proactively.

The solutions Orpheus Cyber can provide deliver this and we are the only UK Government accredited Cyber Threat intelligence company providing threat intelligence and cyber risk rating services.

Request a demo via www.Orpheus-cyber.com