Cyber Insurance and the Terrorism Exclusion...

Cyber Insurance and terrorism Thoughts from Liberty Specialty Markets on Cyber Insurance and the connections with terrorism.

"The scale and danger of the problem largely depend upon what we define as “cyber terrorism”; the phrase ‘one man’s cyber terrorist is another man’s hacktivist’ is just as valid an adage as its hackneyed forerunner.

For instance, it is believed that the US Government has classed groups such as Lulszec and Anonymous as terrorist organisations, a decision that many lay observers would find bizarre.

Insurance definitions are even broader. Here is a standard London Market definition of a terrorist act:

Act(s), including but not limited to the use of force or violence and/or the threat thereof, of any person or group(s) of persons, whether acting alone or on behalf of or in connection with any organisation(s) committed for political, religious, ideological or similar purposes including the intention to influence any government and/or to put the public, or any section of the public, in fear.

If we accept such a broad definition of cyber terrorism then its prevalence is indisputable. The news has been awash with reports on the activities of Anonymous, the disparate hacking collective whose distinctive Guy Fawkes masks became a symbol of the “Occupy” protests; and Lulzsec, a group of hard-core hackers loosely affiliated with Anonymous. Of all the stories that have emerged about the two groups it is arguably Anonymous’ DDOS attacks on two customer payment companies which have garnered the most attention.

The attacks were instigated in response to both companies’ decision to withdraw services from Wikileaks, and were largely successful in taking the two websites offline. They also conform to our industry’s definition of “terrorism” fairly neatly, in that they were explicitly political in their aim.

Less straightforward is Lulzec’s June 2011 attack on a media production and distribution company in which the names, birth dates, email addresses, phone numbers and passwords of thousands of competition entrants were leaked online. Lulzec claimed to have carried out the attack “just for the Lulz”. It would seem that the company had left the latch off the back door and in doing so allowed Lulzsec to carry out the attack with a relatively straightforward SQL injection. The motivation for the attack was unclear, with some supposed members of the group stating it was motivated by a desire to highlight the weakness of the company’s security, and other members saying it was done purely for the fun of it. 

cyber time bombAttacks such as this, where defining motive may be difficult, even impossible, might well fall outside of a terrorism exclusion; whereas less damaging but more explicitly political actions would not. Regardless, it's not clear. This kind of inconsistency may well be damaging for the market as a whole. Many smaller insureds would expect that attacks carried out by Anonymous and other such groups would be covered under their cyber insurance policy and would be bemused by such a claim being rejected on the basis of a terrorism exclusion.

Clearing up these inconsistencies is particularly important in view of the most recent Verizon Annual Data Breach Report, which found that Hacktivists (or cyber terrorists) were responsible for 58% of stolen data. Attention grabbing figures such as this should focus the mind of any insurance professional.

If “cyber terrorism”, as it is defined under most wordings, is responsible for such a large proportion of stolen personal information then it is important to know how your policy is going to respond. This hasn’t always been the case, as at least a couple of insurers listed the aforementioned media breach in their marketing material whilst potentially excluding claims related to such an incident in their wordings. Across the market in general it still common to exclude such incidents, with 78% of the 14 UK market wordings we surveyed a few months ago containing broad terrorism exclusions (Optional Carve-back Endorsements may be available subject to terms)."

"Terrorism exclusions, such as the one cited  are often lifted directly from tried and tested property & casualty policies. The problem is that in doing so they also exclude claims which are arguably more akin to civil disobedience than out and out terrorism. The cyber weapons used by Lulzsec and Anonymous have so far been fairly primitive, more akin to rioting and “Sit-ins” than bombs. We have only seen advanced cyber-weaponry, weaponry capable of wreaking physical devastation not just leaking passwords, in the hands of state affiliated actors.

There are of course problems with trying to underwrite “hacktivist” risks: firstly, it is almost impossible to establish a pattern to the type of organisations that are vulnerable, and secondly, DDOS attacks which are favoured by groups such as anonymous, are hard to mitigate without substantial expenditure. Overcoming these problems, however, will become easier as the industry aggregates more data and security measures improve.
So what of “real” cyber-terrorism then? Is it a risk that underwriters should take seriously, despite the lack of actual incidents? The emergence of cyber weapons such as Stuxnet and Flame suggests underwriters should still be very wary of a large scale cyber-attack carried out by a determined and technologically adept terrorist. Stuxnet, a worm believed to have been developed originally by Israel and the USA, was designed to disrupt Iran’s nuclear facilities by modifying their supervisory control and data acquisition systems (SCADA). It is thought that its sophistication allowed it to operate undetected for enough time to set back Iran’s nuclear programme a number of weeks.
Worryingly, copies of Stuxnet have found their way onto internet file sharing sites from which they can be downloaded and modified by anyone with the necessary expertise. Stuxnet’s underlying code is a missile to which different warheads could conceivably be attached, perhaps with the intention of causing disruption or even death. Also, if effectively harnessed the exploits contained in state-backed cyber weapons could be used to create a self-replicating virus capable of infecting millions of machines very quickly, potentially causing huge disruption for individuals and businesses as, well as serious aggregation problems for the market.
In conclusion, cyber terrorism isn’t the bogeyman, but a real – even imminent - threat that affects businesses and governments globally. Cyber terrorism is often conducted quietly and persistently in teenagers’ bedrooms or internet cafés, outside of the public gaze. It is combated by legions of security professionals working in government agencies like the UK’s GCHQ, who work daily analyzing thousands of terabytes of data, to stem attacks before they occur. The secrecy in which both these elements work may well lead us to underestimate the scale of the threat. However, to do so would be an egregious error. Ian Lobbon, the director of GCHQ stated recently that the level of attacks UK businesses receive (not just from cyber terrorism but other agents) is growing exponentially, and that 80% of such attacks could be prevented by base line security measures."