Check out all the on-demand sessions from the Intelligent Security Summit here.
Data breaches aren’t cheap. With the average breach costing $4.24 million, many organizations are turning to cyber insurance to decrease the financial impact of security incidents. However, insurers are beginning to lose confidence in the ability of the insurance market to absorb the risk of an increasingly complex threat landscape.
Just last week, for example, Lloyd’s released a bulletin announcing that starting March 2023, all cyber insurance policies “must exclude liability for losses arising from any state-backed cyberattack.”
The rationale behind the decision is that nation-state attacks could expose the market to systematic risks while “losses have the potential to greatly exceed what the insurance market is able to absorb.”
If other insurance providers follow suit, enterprises won’t be able to rely on cyber insurance to protect themselves against the financial impact of data breaches caused by state-sponsored threat actors.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
Cyber insurance can’t cover a cyberwar
Lloyd’s decision to narrow cyber insurance coverage appears to be a recognition that the threat landscape has spiraled out of control amid the Russia-Ukraine war as nation-states on both sides of the conflict innovate new threats.
As the war continues, it’s becoming increasingly clear that the impact isn’t limited to countries directly involved in the conflict, but to organizations across the globe.
New research released this week revealed that 64% of security decision-makers across the US, UK, France, Germany, Belgium, Netherlands and Australia suspect their organization has been directly targeted by a nation-state cyberattack.
With nation-state attacks on the rise and insurance coverage narrowing, enterprises will need to review their policies to ensure they’re not left exposed to financial risk.
“It’s another exclusion that enterprises will need to pay attention to in their cyber insurance policy, part of a trend of continued tightening of coverage and affirmative language about what is covered (and not covered),” said Forrester principal analyst Heidi Shey.
“One of the requirements of Lloyd’s decision is that all key terms are clearly defined. It will be interesting to see how and what insurers will consider as attribution for a nation-state attack. The time lapse between an attack and attribution (if feasible) to a nation-state is an issue,” Shey said.
Is attributing nation-state attacks practical for insurers?
Even though Lloyd’s intends to eliminate coverage of nation-state attacks, many commentators believe this policy is unenforceable, as the provider will have to prove that a cyberattack was authorized by a particular state.
“Based on their bulletin, it would require the attacked company to declare it a nation-state event, which would not work very well. It begs the following questions — at what point is it a nation-state directly attacking the covered organization, and who makes that determination?” said David Lindner, CISO at Contrast Security.
Attributing these attacks is also difficult, particularly when attackers go out of their way to disguise their identities.
“Attributing attacks to specific perpetrators on a good day is difficult in cyberspace, where identities can be easily disguised by using TOR routers, bot networks and other obfuscation techniques,” said James Turgal, VP of cyber risk, strategy and board relations at Optiv.
Turgal says that there is an underground marketplace of initial access brokers (IABs) that nation-states can call on to execute any segment of a cyberattack, from the initial intrusion to establishing lateral movement in a network.
“While there are tactics, techniques and procedures (TTPs) used by certain nation-states that allow for some degree of attribution, only highly sophisticated, investigative techniques employed by U.S. law enforcement and intelligence community members like the FBI, CIA, or NSA can usually detect such specific TTPs,” Turgal said.
These techniques are also highly classified and are unlikely to be shared with an insurance company to make policy decisions.
Don’t rely on policy ambiguity, but data protection
From a risk management perspective, organizations can’t afford to rely on cyber policies in this realm being unenforceable.
After all, the ambiguity over what constitutes a state-sponsored attack can cut both ways, particularly if an insurance provider and an organization disagree over whether an attack was authorized by a particular government.
The only way to ensure protection against these types of threats is to prioritize data security, while implementing zero-trust access to ensure that threat actors can’t get access to mission-critical data.
“Organizations must mitigate cyber-risks through constant backups to ensure data can be restored, and also utilize proven data-centric security to foil the attack itself,” said cybersecurity expert and data security specialist at comforte AG, Erfan Shadabi.
Lindner also recommends that organizations implement data redundancies, including backup and archiving to ensure that data is recoverable if it’s compromised, alongside implementing a data management framework and developing a security awareness training program for new and existing employees.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.