November 3, 2016
Today’s nascent cyber insurance industry is largely unprepared to cover the type of damage than can be caused by the world’s best hackers. And the industry isn’t hiding it.
Though no two insurance plans tend to be quite the same, a rare commonality exists between a vast majority of current cyber insurance offerings: the policies exclude coverage in the case of a nation state hackers’ involvement.
“I reviewed 14 plans, which was the number I could find publicly available online. In those plans, 100 percent explicitly exclude acts of war and ‘warlike operations.’ Many of them also exclude acts of broadly defined foreign enemies, government actors and terrorism,” Robert Morgus, a policy analyst in New America’s international security program, told CyberScoop. Morgus recently completed a comprehensive research report focused on the cyber insurance market.
The stipulation spurs questions regarding how and who is responsible for attributing a specific data breach in the due process of an insurance claim — and whether accurate attribution is possible in the first place. If attribution was contested and no clause for resolution was written into the policy, the case would then go to court for settlement, cybersecurity insurance experts tell CyberScoop.
Generally speaking, liability exclusion details are difficult to study because most cyber insurance contracts are confidential in nature, said Morgus. Legal experts say there has yet to be a case where the insurance company or a breach victim have specifically challenged the attribution of an attack in court.
“It would be fair to say that a majority of currently available policies do exclude attacks attributable to a nation state or international crime syndicate,” said ECMB insurance broker Charlie Bernier, “[but] I never say anything is 100 percent … I can think of at least one policy off the top of my head that does not have an exclusion if/when an attack comes from” this vector.