Organizations should be prepared to read the fine print when negotiating cyber insurance policies amid heightened tensions between the US and Russia due to a recent court ruling on a deja vu case , according to incident response professionals.
“They’re going to become more careful about what they put in [the policy]”said Mark Lance, senior director of cyber defense for GuidePoint Security, Nextgov. “You have to make sure the right things are in there.”
Lance was reacting to a January 13 decision by the Superior Court of New Jersey in favor of the pharmaceutical company Merck. Merck’s insurance company had refused to cover damage after the June 2017 NotPetya attack. The attack, attributed to Russia’s Main Intelligence Directorate, initially targeted facilities in Ukraine. Ace American, the insurance company, argued it shouldn’t have to pay because the attack qualified as a war. The court disagreed, saying Ace American failed to provide sufficient “notice” of the intended exclusion.
Now, as the Russians and Ukrainians clash again over the latter’s autonomy, observers fear that such “overreaching” attacks could spread through the global supply chain, and that Russia and other state-sponsored actors have already established a presence in US critical actor networks. infrastructure after attacks like the one against IT management company SolarWinds.
Lance and Tony Cook, head of threat intelligence, digital forensics and incident response at GuidePoint, expect insurance companies to scrutinize and rewrite contracts with a fine-toothed comb. And potential policyholders should follow suit, they said, noting many small pitfalls that can be overlooked and leave organizations dry.
“You try to make good decisions about what’s going on, and then you find out that your insurance basically has no negotiation or brokerage or payout or part of it,” Cook said. Nextgov.
Policyholders can have a policy up to $5 million, but are only covered for specific aspects of a breach response. Coverage can be categorized into many different smaller packages. An insurer may pay for service restoration, or external advice or public relations management, but not a ransom itself, for example.
“So have someone in the room who can actually understand some of the verbiage because a lot of these people – although I won’t say they’re selling snake oil – they’re definitely trying to get you to buy something. thing with the least amount of money they will have to pay,” Cook said.
Lance said it will be important for organizations to be able to assert that not all incidents resulting from a supply chain attack attributed to a nation-state actor are automatically tied to the same adversary.
“SolarWinds is an example,” he said. “Once the code was entered into the back-end and into their software, which was then sent out to all the different clients, it could have been exploited by anyone at that time. That doesn’t mean it’s always been, you know, the Russians or the Chinese.