Force Majeure - insurance for cyber-warfare?
Relying on cyber-insurance when your defences are actually negligent will increasingly become unsustainable - and unavailable - says Philip Lieberman.
Force Majeure - insurance for cyber-warfare?
As we look back on the cyber-attacks of 2014, one of the recurring themes presented by so-called security experts and the CEOs of hacked companies was that there was no way they could have expected nor prevented the consequences of the attacks that hit them. In legal parlance, the concept of reasonably unexpected and unstoppable events that disrupt a business and its contracts is called force majeure.
In most of the cyber-attack cases, the prevailing public response has been that the attacks were so complex and overwhelming that no reasonable care could have been taken to protect against them. With that position, many of the hacked companies (prior to the attacks), purchased cyber-warfare insurance and then proceeded to cut IT investment in security under the theory that there was no point spending money for something that does not work and for which you can be insured (force majeure theory).
From our perspective, the attacks we saw in 2014 were completely predictable and survivable with minimal consequences. There was and is nothing new about the methods used in 2014 to attack target companies. We saw a mixture of malware, phishing attacks and the use of zero-day exploits to gain ownership over the targeted environments.
The following actions would have mitigated most of the reported issues: use of appropriate air-gaps in the design of IT, proper network design, segregated data and identity management, encryption, and backup/recovery systems. In effect, no one was looking for the attackers and no one was creating an environment to survive the attacks.
The common theme of the success of 2014 attacks was the total lack of preparedness for the attacks, as well as the lack of visibility of IT governance to company leadership. This lack of visibility could be laid at the feet of the auditors responsible for reporting on and recommending appropriate actions to mitigate clearly obvious risk.
IT auditors: blind or pragmatic?
The suggestion to senior management that their IT risks could be mitigated by insurance rather than the appropriate reworking of their technology and processes could and should be punishable as professional malpractice and malfeasance. The auditor community has first-hand familiarity of the consequences of these types of attacks as well as the proper mitigations, all of which are codified in standards such as ISO 27001.
On the other hand, IT auditors are driven by the data provided to them by their IT operations manager clients. One of the sad truths about IT these days is that data sets are incomplete or non-existent when it comes to providing required data to the auditors and regulators. With this fact in hand, auditors are faced with the Faustian choice of not signing off on an audit report (that will never be completed because the data does not exist), or turning a blind eye to the obvious problem of non-existent security or visibility to IT governance.
The recent lawsuits against many of the companies for wilful negligence in the protection of personally identifiable information (PII) will prove this last point and confirm the fallacy of a force majeure defence argument.
We also believe that the availability of cyber-security insurance will also be hard to come by in 2015. Insurers will come to understand the transference of risk they accept virtually guarantees a payable loss claim due to the negligence of their customers. Insurers never properly accounted for this type of client behaviour when they originally wrote their policies.
The way forward
It is clear that the entire nature of governance, risk and compliance (GRC) needs to be reworked to provide appropriate guidance to the CEO and board of directors as it relates to cyber-security and cyber-defence.
In the US, President Obama made it clear, as part of his briefings and State of the Nation speech, that the attacks seen are predictable and defensible. For those that chose to buy insurance rather than fix their poor security, they will most likely see legislation this year to punish this behaviour.
We have learned a lot from the intrusions last year and will use that information to produce better solutions. We will improve our integrations with others in the GRC space to help IT, auditors and senior management protect themselves from the ever present onslaught of cyber-attackers.
Contributed by Philip Lieberman, president & CEO, Lieberman Software