A legal battle is being waged between a U.S. bank and its insurer over the insurer’s refusal to pay out on a cyber policy, in the wake of hacks on the bank which led to a loss of over $2.4 million. The case flags the problems of insurance in the fast-moving world of digital security.
The case relates to a pair of hacking incidents at National Bank of Blacksburg, in Va., in May 2016 and January 2017, according to security expert Brian Krebs. The initial compromises apparently followed the standard route of targeted phishing emails, leading to installation of malware on a system inside the bank’s network. Once inside, the attackers were able to remove protections on ATM withdrawals, including withdrawal limits, and a spree of ATM visits by money mules saw $569,000 cashed out.
The bank called in digital investigators and applied further protections to its systems, but a second hack took place in early 2017, removing the new security measures from the inside and enabling another spate of withdrawals, this time totalling over $1.8 million over a long weekend, according to Krebs.
When the bank turned to its insurance firm, Everest National Insurance Co., to cover the losses, they were disappointed to learn that the theft was adjudged to fall under provisions for card-related fraud, with a coverage limit of $50,000, rather than the hacking provisions where the limit was a much more appropriate $8 million. The insurer refused to budge on its offer of just $50,000 to cover the $2.4 million loss, and the two companies are now continuing their disagreement in the courts.
Insurance companies are notoriously cautious and of course make every effort to minimize payouts, relying on complex nesting of coverage and exclusions to make sure they only have to pay out when the exact requirements of a policy are met.
In the digital world, this can lead to some serious headaches, as National Bank has demonstrated. Cyber insurance is a relatively new field, and one open to all sorts of confusion and misunderstanding on both sides.
Insurers require detailed understanding of a given problem, and the potential mitigations, in order to work out the exact likelihood of an incident affecting someone they plan to insure. This is usually based on masses of historical data, and detailed analysis of potential protections. For example, analysis of police records will show how often a certain type of house in a certain area is burgled and how much is stolen, while testing data will show how much harder it is to break into a house if a certain type of window, door lock or alarm system is fitted.
In the digital world there is much less certainty. Cybercrime statisticians don’t yet have a very long history to analyze, and what little data is available is weakened by under-reporting, vagueness over the methods, longevity and efficacy of hacking attacks, and difficulties measuring the financial impact of intangible things, such as the reputational damage invariably caused by data leaks.
Measuring mitigations is also seriously difficult. The exact benefit of a cutting-edge security product or a stringent set of policies is almost impossible to measure accurately, given the constantly changing nature of the threat. To return to the burglary analogy, it’s like measuring how strong a lock or alarm system is, only to discover that crooks have found a way to pass through walls, or to teleport into a house disguised as the homeowner.
Testing in the security space tends to be much more time-dependent than other types of testing; if you test the toughness of a sheet of glass or a set of door latches, the results will remain accurate until the design or specification changes, but the detection rate of an anti-malware product varies from hour to hour, making an accurate measure of efficacy massively more expensive.
Once insurers have some reasonably usable data to base their figures on, the next hurdle is accurate description. Typically the terms of an insurance policy are couched in dense legal language, supported by expert input. Those terms then need to be properly understood by the purchaser, to ensure they are getting the coverage they expect. Only the very largest firms can afford to keep someone on hand with both the legal skills to be able to decipher the policy text, and the technical chops to relate that to the company’s specific IT infrastructure and requirements.
Spending on digital security continues to grow, with a recent U.K. survey showing the finance sector is investing the most. As the insurance market matures, if insurance firms can successfully sell cyber-specific policies with enough exclusions to avoid payouts for standard cyber threats, they certainly will. So there’s a lot of pressure on buyers to ensure their policies are actually worthwhile.
This pressure is increased by the added burdens of GDPR and other upcoming legislation, with heavy penalties for digital security and privacy failings which also need to be insured against.
On the up-side, at least the reporting requirements in GDPR et al will ensure a more useful flow of data into the cyber actuarial tables. The outcome of the National Bank v. Everest case could also have a pretty serious impact on where the burden of interpretation should lie.