Cyber Insurance and the Terrorism Exclusion...
"The scale and danger of the problem largely depend upon what we define as “cyber terrorism”; the phrase ‘one man’s cyber terrorist is another man’s hacktivist’ is just as valid an adage as its hackneyed forerunner.
For instance, it is believed that the US Government has classed groups such as Lulszec and Anonymous as terrorist organisations, a decision that many lay observers would find bizarre.
Insurance definitions are even broader. Here is a standard London Market definition of a terrorist act:
Act(s), including but not limited to the use of force or violence and/or the threat thereof, of any person or group(s) of persons, whether acting alone or on behalf of or in connection with any organisation(s) committed for political, religious, ideological or similar purposes including the intention to influence any government and/or to put the public, or any section of the public, in fear.
If we accept such a broad definition of cyber terrorism then its prevalence is indisputable. The news has been awash with reports on the activities of Anonymous, the disparate hacking collective whose distinctive Guy Fawkes masks became a symbol of the “Occupy” protests; and Lulzsec, a group of hard-core hackers loosely affiliated with Anonymous. Of all the stories that have emerged about the two groups it is arguably Anonymous’ DDOS attacks on two customer payment companies which have garnered the most attention.
The attacks were instigated in response to both companies’ decision to withdraw services from Wikileaks, and were largely successful in taking the two websites offline. They also conform to our industry’s definition of “terrorism” fairly neatly, in that they were explicitly political in their aim.
Less straightforward is Lulzec’s June 2011 attack on a media production and distribution company in which the names, birth dates, email addresses, phone numbers and passwords of thousands of competition entrants were leaked online. Lulzec claimed to have carried out the attack “just for the Lulz”. It would seem that the company had left the latch off the back door and in doing so allowed Lulzsec to carry out the attack with a relatively straightforward SQL injection. The motivation for the attack was unclear, with some supposed members of the group stating it was motivated by a desire to highlight the weakness of the company’s security, and other members saying it was done purely for the fun of it.
Attacks such as this, where defining motive may be difficult, even impossible, might well fall outside of a terrorism exclusion; whereas less damaging but more explicitly political actions would not. Regardless, it's not clear. This kind of inconsistency may well be damaging for the market as a whole. Many smaller insureds would expect that attacks carried out by Anonymous and other such groups would be covered under their cyber insurance policy and would be bemused by such a claim being rejected on the basis of a terrorism exclusion.
Clearing up these inconsistencies is particularly important in view of the most recent Verizon Annual Data Breach Report, which found that Hacktivists (or cyber terrorists) were responsible for 58% of stolen data. Attention grabbing figures such as this should focus the mind of any insurance professional.
If “cyber terrorism”, as it is defined under most wordings, is responsible for such a large proportion of stolen personal information then it is important to know how your policy is going to respond. This hasn’t always been the case, as at least a couple of insurers listed the aforementioned media breach in their marketing material whilst potentially excluding claims related to such an incident in their wordings. Across the market in general it still common to exclude such incidents, with 78% of the 14 UK market wordings we surveyed a few months ago containing broad terrorism exclusions (Optional Carve-back Endorsements may be available subject to terms)."
"Terrorism exclusions, such as the one cited are often lifted directly from tried and tested property & casualty policies. The problem is that in doing so they also exclude claims which are arguably more akin to civil disobedience than out and out terrorism. The cyber weapons used by Lulzsec and Anonymous have so far been fairly primitive, more akin to rioting and “Sit-ins” than bombs. We have only seen advanced cyber-weaponry, weaponry capable of wreaking physical devastation not just leaking passwords, in the hands of state affiliated actors.
You might also like ...
(reproduced from Dark Reading) - Ericka Chickowski- Contributing Writer
Special insurance may offer value, but to get it you'll need to avoid common exclusions and stop trying to use a breach policy as a substitute for solid data security practices
As an increasing number of businesses are starting to look at cyber breach insurance as a tool to mitigate the risks of data breaches, IT security pros need to be prepared to help their organizations avoid the hazards of choosing a policy that may not pay out when the worst occurs.
Chief among the biggest pitfalls? Trying to use insurance as a financial replacement for investment in sound protection of databases and other data security infrastructure.