State-sponsored cyberattacks are on the increase— but they don’t raise the level of alarm that they should in the corporate world.
When I work with companies, my team often encounters executives who say they have insurance, so everything will be fine. Or, they say they are not likely to be targeted by state-backed attackers because their business is of no political or strategic importance.
Unfortunately, that’s not a productive way to think. Come at the end of March, Lloyd’s will no longer cover damage caused by cyberattacks carried out by the state or state-supported groups. In the worst-case scenario, this reduced insurance coverage could exacerbate the tendency for companies to take a passive approach to state-sponsored attacks because they believe there is nothing more they can do to protect themselves. On the other hand, this increased risk and the demand for coverage from companies could push the cyberinsurance industry to innovate and find ways to deal with the increasing levels of risk.
Insurance uncertainty could be the motivation companies need to start taking the threat of state-sponsored attacks more seriously.
Claims process will slow as insurers reject claims and demand more information
As insurance companies grow more risk averse, the average price of cyber insurance in the U.S. has risen 79% in the second quarter of 2022, after more than doubling in each of the previous two quarters. At the same time, insurers are paying more attention scrutinize corporate cyber practices, and outside certain vulnerable technologies and related attacks war and conflict.
These limits will give insurers even more leverage to reject claims. For example, a legal battle is underway following the 2017 NotPetya Cyber Attacks Backed by Russia, in which some victims, including multinationals Mondelez International and Merck, argued that insurers should not have dismissed their claims for damages under the war exclusion because the attacks did not take place in the framework of what is commonly defined as a war. Merck won the case and received payment. Mondelez installed with his insurer Zurich. But no doubt many more cases will end up in court.
Excluding coverage of state-sponsored attacks also opens the door to having to prove who the attackers really are, which is difficult. In my experience, most attackers seek to conceal their identity. Currently, identifying attackers is not always part of a company’s response and efforts to cyberattacks. Whether the burden of proof is on the insurance company or the victim, identifying the perpetrator will lengthen the claims process.
Along with greater scrutiny and higher prices, cyberinsurance providers are also adopting new ways to be able to absorb the growing risk. For example, the insurer Beazley recently announced that it would issue a $45 million disaster, which will allow it to share some of the risk with investors and raise more capital. Such bonds are common in other types of insurance, including for property. But this approach is new to the still-young cyberinsurance industry – and it’s far from certain that such a method will bring in enough money to pay more expensive claims. It is also difficult to know what type of event would meet the definition of a “disaster”, leaving much room for uncertainty.
How Less Reliable Insurance Could Make Everyone Take Threats More Seriously
In December, Mario Greco, the CEO of Zurich, called the cyberattacks “not insurable– at least in the traditional sense.
Three key things need to change as insurance becomes more expensive and less reliable.
First, all organizations must understand that they are at risk of state-sponsored attacks. In my daily work, I see state-backed groups targeting mainstream businesses to steal money or to obtain data they can sell on the Dark Web. Businesses need to take cyber threat intelligence more seriously and take a more proactive approach to defense. This can go a long way: if attackers are primarily looking for money or data that they can quickly sell for cash (rather than other goals, such as shutting down operations), difficulties in conducting a attack will likely move them to the next target. .
Businesses need to start paying attention to who is attacking them. An attack, or attempted attack, is a unique opportunity to learn more about the enemy, including the methods and tools they are using. In many cases, an attacker enters a network but takes no further action for weeks or months, leaving a valuable window for intelligence on the defensive side. In cases where we can find clues to who they may be, we are able to help organizations build the specific defenses they need to protect themselves.
Finally, the private sector and the government must strengthen their cooperation. This is all the more urgent as the insurance options available dwindle. There is progress on this front. Since last year, the White House and federal agencies Cybersecurity monitoring have increased cooperation with the private sector, but it is still limited to companies dealing with critical infrastructure and large technology companies, such as Microsoft, Amazon and Apple.
However, governments must also realize that not all businesses have the tools and resources to protect against state-sponsored threats. More grants, training and assistance must be made available, particularly because the threat of state-sponsored attacks is no longer limited to large organizations that have strategic or political value. This is happening on a large scale in Israel, where the National Cyber Directorate offers training and also engages in threat hunting on behalf of the private sector.
It is a matter of national security. The U.S. government could set cyber insurance requirements based on the company taking reasonable steps rather than just the identity of the attacker, or offer subsidized insurance plans to qualified companies, such as the US Federal Emergency Management Agency provides flood insurance options to residents of at-risk areas where reasonable mitigation efforts have been made. Health insurers are also required to cover certain pre-existing conditions. When it comes to natural disasters, the United States and other governments also step in to provide assistance that may not be available or covered by private insurance policies.
If state-sponsored cyberattacks are considered a type of terrorism, there are strong precedents government helps victims. In fact, the US government is currently studying whether there should be a program where the government would step in to help cover losses from cyberattacks, as it does in cases of terrorism.
However, companies cannot abdicate responsibility or simply blame state-backed actors for attacks as a tactic to reduce their liability burden.
As the insurance industry rules out more state-related scenarios and looks for new ways to absorb risk, it’s time to help businesses defend themselves. This is essential to protect the economy, society and even lives from state-sponsored attacks.
Shmulik Yehezkel is the Head of Critical Cyber Operations and CISO at CYE.
The opinions expressed in Fortune.com comments are solely the opinions of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
More must-have comments posted by Fortune:
Learn how to navigate and build trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Register here.