Organizations should prepare to read the fine print when negotiating cyber insurance policies amid heightened tensions between the U.S. and Russia due to a recent court decision on a déjà vu-invoking case, according to incident response professionals.
“They’re going to become more cautious about what they’re putting in [the policy],” said Mark Lance, senior director of cyber defense for GuidePoint Security, told Nextgov. “You’ve got to make sure the right things are in it.”
Lance was reacting to a Jan. 13 ruling by the Superior Court of New Jersey in favor of the pharmaceutical company Merck. Merck’s insurance company had denied coverage for damages after the NotPetya attack of June 2017. The attack, attributed to the Main Intelligence Directorate of Russia, initially targeted facilities in Ukraine. Ace American, the insurance company, argued it shouldn’t have to pay because the attack qualified as warfare. The court disagreed, saying Ace American did not provide sufficient “notice” of the intended exclusion.
Now, as Russians and Ukranians again clash over the latter’s autonomy, observers fear such “spillover” attacks making their way across the global supply chain, and that Russia and other state-sponsored actors might already have established a presence in the networks of U.S. critical infrastructure after attacks like the one on IT management firm SolarWinds.
Lance and Tony Cook, GuidePoint’s head of threat intelligence and digital forensics and incident response, expect insurance companies will be reviewing and rewriting contracts with a fine tooth comb. And prospective policyholders should follow suit, they said, noting lots of little pitfalls that can get overlooked and leave organizations high and dry.
“You’re trying to make good decisions on what is happening and then you find out that your insurance basically doesn’t have any negotiation or brokerage or payment or any portion of it,” Cook told Nextgov.
Policyholders may have a policy up to $5 million, but only be covered for particular aspects of a breach response. Coverage can be categorized into lots of different little packages. An insurer might pay for restoration of services, or an external counsel or public relations management, but not a ransom itself, for example.
“So, have somebody in the room that can actually understand some of the verbiage there because a lot of these people—while I won’t say they’re selling snake oil—they’re definitely trying to get you to buy something with the least amount of money that they’re gonna have to pay,” Cook said.
Lance said it will be important for organizations to be able to argue that not every incident resulting from a supply chain attack attributed to a nation-state actor is automatically tied to the same adversary.
“SolarWinds is an example,” he said. “Once the code was entered into the back end and into their software, which was then pushed out to all of the different clients, it could have been leveraged by anybody at that point in time. It doesn’t mean that it was always you know, the Russians or the Chinese.”