Lloyds refuses to cover nation-state attacks: What it means to the enterprise

août 25, 2022 Par admin 0
Lloyds refuses to cover nation-state attacks: What it means to the enterprise

Image Credit: urbazon // Getty Images

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


Data breaches aren’t cheap. With the average breach costing $4.24 million, many organizations are turning to cyber insurance to decrease the financial impact of security incidents. However, insurers are beginning to lose confidence in the ability of the insurance market to absorb the risk of an increasingly complex threat landscape.  

Just last week, for example, Lloyds released a bulletin announcing that starting March 2023, all cyber insurance policies “must exclude liability for losses arising from any state-backed cyberattack.” 

The rationale behind the decision is that nation-state attacks could expose the market to systematic risks while “losses have the potential to greatly exceed what the insurance market is able to absorb.” 

If other insurance providers follow suit, enterprises won’t be able to rely on cyber insurance to protect themselves against the financial impact of data breaches caused by state-sponsored threat actors. 

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

Cyber insurance can’t cover a cyber war 

Lloyds decision to narrow cyber insurance coverage appears to be a recognition that the threat landscape has spiraled out of control amid the Russia-Ukraine war as nation states on both sides of the conflict innovate new threats. 

As the war continues, it becomes increasingly clear that the impact isn’t limited to countries directly involved in the conflict, but to organizations across the globe. 

New research released this week revealed that 64% of security decision-makers across the US, UK, France, Germany, Belgium, Netherlands and Australia suspect their organization has been directly targeted by a nation-state cyber attack. 

With nation-state attacks on the rise and insurance coverage narrowing, enterprises will need to review their policies to ensure they’re not left exposed to financial risk. 

“It’s another exclusion that enterprises will need to pay attention to in their cyber insurance policy, part of a trend of continued tightening of coverage and affirmative language about what is covered (and not covered).,” said Forrester principal analyst Heidi Shey. 

“One of the requirements of Lloyds decision is that all key terms are clearly defined. It will be interesting to see how and what insurers will consider as attribution for a nation-state attack. The time lapse between an attack and attribution (if feasible) to a nation-state is an issue,” Shey said. 

Is attributing nation-state attacks practical for insurers? 

Even though Lloyds intends to eliminate coverage of nation-state attacks, many commentators believe this policy is unenforceable, as the provider will have to prove that a cyber attack was authorized by a particular state. 

“Based on their bulletin, it would require the attacked company to declare it a nation state event which would not work very well. It begs the following questions — at what point is it a nation state directly attacking the covered organization, and who makes that determination?” said CISO at Contrast Security, David Lindner.

Attributing these attacks is also difficult, particularly when attackers go out of their way to disguise their identities.  

“Attributing attacks to specific perpetrators on a good day is difficult in cyberspace, where identities can be easily disguised by using TOR routers, Bot networks and other obfuscation techniques,” said VP of Cyber Risk, Strategy and Board Relations at Optiv, James Turgal. 

Turgal says that there is an underground marketplace of Initial Access Brokers (IABs) which nation-states can call on to execute any segment of a cyber attack, from the initial intrusion to establishing lateral movement in a network. 

“While there are tactics, techniques and procedures (TTPS) used by certain Nation States that allow for some degree of attribution, only highly sophisticated, investigative techniques employed by U.S. law enforcement and intelligence community members like the FBI, CIA, or NSA can usually detect such specific TTPs,” Turgal said. 

These techniques are also highly classified and are unlikely to be shared with an insurance company to make policy decisions. 

Don’t rely on policy ambiguity, but data protection 

From a risk management perspective, organizations can’t afford to rely on cyber policies in this realm being unenforceable. 

After all, the ambiguity over what constitutes a state-sponsored attack can cut both ways, particularly if an insurance provider and an organization disagree over whether an attack was authorized by a particular government.

The only way to ensure protection against these types of threats is to prioritize data security, while implementing zero-trust access to ensure that threat actors can’t get access to mission-critical data. 

“Organizations must mitigate cyber risks through constant backup to ensure data can be restored,  and also utilize proven data-centric security to foil the attack itself,” said Cybersecurity expert and data security specialist at comforte AG, Erfan Shadabi. 

Linder also recommends that organizations implement data redundancies, including backup and archiving to ensure that data is recoverable if it’s compromised, alongside implementing a data management framework and developing a security awareness training program for new and existing employees.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.