The impact and costs of a cyberattack can be substantial, perhaps even fatal to a business. Given this potentially catastrophic possibility, it seems like a good idea to get an insurance for cyber risk. After all, we insure our buildings against fires. We insure ourselves and employees against damaging other people’s property, and so on. Following this logic, many companies have purchased cyber insurance. But how well does this coverage actually protect?
Not well, if you ask the companies who suffered losses in 2017 due to the NotPetya cyberattacks and are now discovering that their cyber insurance won’t cover it. The insurance company is making the novel argument that since the attack has been pinned on Russia, it is really an act of (cyber) war, and therefore excluded from insurance coverage. (For additional reading on this topic, we recommend this New York Times article: https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html )
Insurance works under the assumption that the probability of an event can be accurately estimated. We have good data for how likely buildings of a certain material are to catch fire and what damage to expect (except for the Notre-Dame cathedral in Paris maybe). None of these metrics exist for cyber security. While many insurance and audit firms have developed checklists and questionnaires, it is possible to meet all requirements on paper and still be vulnerable. Following the letter of the law typically does very little to actually improve cyber security. We have seen expensive and meticulously documented efforts to meet a security checklist requirement, while everyone implementing the solution was perfectly aware that it had no useful effect. Therefore, insurance companies underwrite a risk of unknown magnitude when issuing cyber insurance.
The other fundamental assumption behind insurance is that bad events are typically independent of each other. If bad events are dependent (e.g. in the case of a hurricane), insurance companies usually rely on the government to cover the risk. However, cyberattacks are typically not independent because they exploit vulnerabilities shared by many computers and companies. If one company is breached by an attack, there is often a good chance this attack will also succeed against many other companies at the same time (like NotPetya).
Therefore, insurance companies issuing cyber insurance underwrite dependent adverse events of unknown likelihood. Unsurprisingly, the only way to make this work is to hope for the best, pay the small claims, and find ways to not cover large events, as we see in the NotPetya example.
The only successful way to manage cyber risk for a company is to understand its current systems and dependencies, and work on improving its systems. Cyber insurance is at best a last backstop, but it cannot be a main line of defense to protect one’s business against cyber risks.