A Crossroads for Cyber Insurance: Are You Really Covered?

Recently, Lloyd’s of London issued a bulletin that will require its insurer groups to separate state-backed cyberattacks from standalone cyber insurance policies. Starting in March 2023, when coverage begins or renews, Lloyd’s global syndicates must exclude attacks involving state actors in policies that protect against physical and digital damage caused by hacks.

This begs the question: If the insurance industry stops covering breaches caused by nation-states, and a significant amount of breaches are suspected to originate from this very source, where does this leave companies? Further, what if the breach source is unknown?

Most, if not all, companies secure a cyber insurance policy to spread out or defer some risk and damage from a cyber breach. Many, however, are likely to start questioning whether the cost of their now-limited insurance policies are worth it. Based on years of cyber investigative experience, I believe Lloyd’s of London’s recent decision will be a difficult one to enforce and nearly impossible to base on unclassified and verifiable data.

The question then comes down to: How do you attribute an attack to a nation-state actor? Attributing back to specific perpetrators is difficult in cyberspace, where identities can be easily disguised by using Tor routers (also known as onion routers), bot networks, and other obfuscation techniques.  

Add to this problem the use of initial access brokers, a dark web concept that I call “crowd-sourced hacking.” Here, actors can be found on various marketplaces and employed to conduct various parts of an attack piecemeal. For example, one actor can conduct the initial network access and then sell it to another actor, who moves laterally through the network and sells the access and network map to another actor, who deploys the malware or ransomware payload.

Some dark web vendors even provide a service dedicated to cultivating archives of stolen credentials, and their clients can include nation-states, organized criminal syndicates, or enterprising cybercriminals with pools of victims to compromise. The attribution waters get even muddier when you start to dive into the forensic science side of cyberspace. On any given day, leagues of different attack tools are being deployed by threat actors big and small. That’s a lot of tools to keep track of, even on the best of days, especially when some of them are used by friendly organizations looking for cyber vulnerabilities to close, not exploit.

Even if a computer involved in an attack was traced to an IP address located in a North Korean military base, for instance, it wouldn’t necessarily mean said attack had the knowledge of that government’s authorities. The device could have been compromised by hackers in other countries, as in the case of the Office of Personnel Management hack, where the Federal Bureau of Investigation (FBI) arrested a Chinese national for the attack but couldn’t attribute it to the Chinese government.  

And while the specific tactics, techniques, and procedures used by certain nation-states allow for some degree of attribution, only highly sophisticated, investigative methods employed by US law enforcement and intelligence community members such as the FBI, Central Intelligence Agency, or National Security Agency can usually detect them. However, these detection processes aren’t quick ones, sometimes taking months or years. In addition, law enforcement tactics that track such activity are classified and wouldn’t be disclosed to insurance companies seeking to make coverage decisions.

Given the gray area around attribution, there may be a reckoning around the corner for the insurance sector, especially if other providers such as Lloyd’s attempt to unburden themselves from the financial responsibility of state-sponsored attacks. In an industry all about defining, mitigating, or eliminating risk, cyber insurance must establish a clear, accepted definition of its “nation-state” risk. Otherwise, I foresee a long road of litigation ahead between providers, the insured, and the victims arguing about the identity of the attacker.

Regardless of what happens with the cyber insurance market, having a solid cyber program is important to weather any storm. That’s why enterprises should continue to focus on forging resilient environments that start with risk management. Building out from there, organizations can efficiently secure themselves from threats, no matter the origin.