State-backed cyber attacks are on the rise–but they are not raising the level of alarm that they should in the corporate world.
When working with companies, my team often encounters executives who say they have insurance, so everything will be alright. Or, they say they are not likely to be targeted by state-backed attackers because their company doesn’t have any political or strategic importance.
Unfortunately, this is not a productive way of thinking. Come the end of March, Lloyds will no longer cover damage from cyberattacks carried out by state or state-backed groups. In the worst cases, this reduced insurance coverage could exacerbate the trend of companies taking a passive approach toward state-backed attacks as they feel there is now really nothing they can do to protect themselves. On the flip side, this increased risk and demand from companies for coverage could push the cyber insurance sector to innovate and find ways to deal with the growing risk levels.
The uncertainty of insurance could be the motivation that companies need to begin to take the threat of state-backed attacks more seriously.
The claims process will slow as insurers reject claims, demand more information
As insurance companies grow more hesitant about risk, the average price for cyber insurance in the U.S. rose 79% in the second quarter of 2022, after more than doubling during each of the previous two quarters. At the same time, insurers are more carefully scrutinizing companies’ cyber practices, and excluding certain vulnerable technologies and attacks linked to war and conflict.
These limits will give insurers even more leverage to reject claims. For example, a court battle is ongoing following the 2017 NotPetya Russian-backed cyber attacks, in which some victims, including multinationals Mondelez International and Merck, have argued that insurers should not have rejected their claims for damage under the war exclusion because the attacks did not take place as part of what is commonly defined as war. Merck won its case and received the payout. Mondelez settled with its insurer, Zurich. But there is no doubt many more cases will end up in court.
Excluding coverage for state-backed attacks also opens the door to having to prove who the attackers actually are–something that is difficult. From my experience, most attackers aim to conceal their identities. Currently, identifying the attackers is not always part of corporate cyberattack response and efforts. Whether the burden of proof falls on the insurance company or the victim, identifying the attacker will lengthen the claims process.
Alongside deeper scrutiny and higher prices, cyber insurance providers are also embracing new ways to be able to absorb the growing risk. For example, the insurer Beazley recently announced that it would issue a $45 million catastrophe bond, which will allow it to share some of the risk with investors, and raise more capital. Such bonds are common in other types of insurance, including for property. But this approach is new in the still-young cyber insurance sector–and it is far from certain if such a method will really bring in enough money to pay out more expensive claims. It’s also unclear what type of event would meet the definition of a “catastrophe,” leaving ample room for uncertainty.
How less reliable insurance could push everyone to take threats more seriously
In December, Mario Greco, the CEO of Zurich, called cyberattacks “uninsurable”–at least in the traditional sense.
Three key things need to change as insurance becomes more expensive and less reliable.
First, all organizations need to understand that they are at risk of state-backed attacks. In my daily work, I see state-backed groups targeting ordinary companies to steal money, or to obtain data they can sell on the Dark Web. Companies need to get more serious about cyber threat intelligence and take a more proactive approach to defense. This can go a long way: if attackers are mainly after money or data they can quickly sell for money (rather than other objectives, like shutting down operations), challenges in carrying out an attack will likely cause them to move on to the next target.
Companies need to start paying attention to who is attacking them. An attack, or attempted attack, is a unique opportunity to learn about the enemy, including what methods and tools they use. In many cases, an attacker enters a network but takes no further action for weeks or months, leaving a valuable window for intelligence on the defensive side. In cases where we can find clues about who they may be, we are able to help organizations build the specific defenses they need to protect themselves.
Finally, the private sector and the government need to increase cooperation. This is even more urgent as available insurance options wane. There is progress on that front. Since last year, the White House and federal agencies overseeing cybersecurity have increased cooperation with the private sector–but it still remains limited to companies dealing with critical infrastructure and large tech companies, such as Microsoft, Amazon, and Apple.
However, governments also need to realize that not every company has the tools and resources necessary to protect against state-backed threats. More grants, training, and assistance needs to be made available, especially because the threat of state-backed attacks is no longer limited to large organizations that have strategic or political value. That happens at scale in Israel, where the National Cyber Directorate offers training and also engages in threat hunting on behalf of the private sector.
This is a matter of national security. The U.S. government could set requirements for cyber insurance that are based on the company taking reasonable steps rather than simply on who the attacker is, or offer subsidized insurance plans to qualified companies much like the U.S. Federal Emergency Management Agency offers flood insurance options to residents in at-risk areas where reasonable mitigation efforts were taken. Health insurers are also required to cover certain preexisting conditions. When it comes to natural disasters, the U.S. and other governments also step in to provide assistance that may not be offered or covered by private insurance policies.
If state-backed cyberattacks are considered a type of terrorism, there are strong precedents for the government aiding victims. In fact, the U.S. government is currently studying whether there should be a program where the government would step in to help cover losses from cyberattacks, like it does in cases of terrorism.
However, companies cannot let go of responsibility or simply blame state-backed actors for attacks as a tactic to reduce their burden of responsibility.
As the insurance industry excludes more state-linked scenarios and searches for new ways to absorb risk, it’s time to help companies defend themselves. It’s key to protecting the economy, society, and even lives from state-backed attacks.
Shmulik Yehezkel is the chief critical cyber operations officer and CISO at CYE.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
More must-read commentary published by Fortune:
- A soft landing is playing out—but optimism needs to be for the right reasons
- People are much less likely to trust the medical system if they are from an ethnic minority, have disabilities, or identify as LGBTQ+, according to a first-of-its-kind study by Sanofi
- The U.S. has thwarted Putin’s energy blackmail. Europe says ‘Tanks a lot!’
- Once the ‘intellectual blood banks’ of the rich and powerful, can speechwriters be replaced with ChatGPT?
Learn how to navigate and strengthen trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Sign up here.