Lloyds of London has told its members to exclude nation state cyber attacks from insurance policies beginning in 2023, saying they pose unacceptable levels or risk.
Hmm so where do we begin to unpack this one?
Attribution is never easy, even in the best of times. So who will decide whether an attack is a nation state or just little Timmy trying to impress his friends on the Discord channel?
Knowing how most other forms of insurance works, the burden of proof may lie on the victim to prove that the attack wasn’t a nation state attacker. Which really makes it difficult.
I mean it’s one thing to say, “we were attacked by a highly sophisticated nation state” because that kind of reduces the embarrassment of saying, “Dave forgot his laptop in the pub one night during a bender and someone used it to log on and lock the rest of us out”
Interestingly, just last week the Register reported a story where a PC store couldn’t claim full cyber-crime insurance because it was a mere social-engineering attack and social engineering was not covered under the computer fraud agreement. The order said:
“SJ Computers did not suffer a penny of financial loss when the bad actor hit “send” on his email messages. And SJ Computers would never have suffered a penny of financial loss if the CEO had not opened those email messages, or if the CEO had asked the purchasing manager about them, or if ERI Direct had answered its phone when the CEO called, or if ERI Direct had promptly returned the voicemail message left by the CEO, or if the CEO had waited to hear from ERI Direct before paying the invoices.”
There is some more nuance to the story, and it probably was more down to not fully understanding the policy or what it covered. However, that itself highlights how the whole cyber insurance world is still in its relative infancy, so people should take great care to see what is or isn’t covered, and for what sum.