At one point or another we’ve all found ourselves at the mercy of insurance companies. Whether it’s a cancelled flight or a ‘he said, she said’ car accident, they are notorious for digging their heels in.
But can you insure against a cyberattack?
You can, but you may not get paid out, as DLA Piper are finding out…
Britain’s biggest law firm by revenue is bringing a case against Hiscox for refusing to pay out on a claim worth many millions of pounds after the law firm was hit by the Petya cyberattack.
What is Petya?
Petya is ransomware that rapidly spreads through Windows-based networks encrypting important documents and files and then demands a ransom, in this case $300 in Bitcoin, for a digital key which unlocks the files.
The name refers to a James Bond reference from the 1995 film Goldeneye, where Petya is one of the two Soviet weapon satellites carrying an atomic bomb detonated in low Earth orbit to produce an electromagnetic pulse.
What’s The Claim?
The Petya attack on DLA Piper, writes Tabby Kinder in The Times, ‘was the largest of its kind on a law firm wiping out emails and telephones for 3,600 lawyers in 40 countries for two days. The blackout meant that lawyers at the firm, which represents some of the world’s largest companies and some government departments, could not access documents and had to postpone work, including on court cases.’
It’s understood that having taken out insurance to protect against a cyberattack, Hiscox is refusing to pay out and a source close to the law firm has suggest that the insurer may be holding back because of a ‘war exclusion’ in the policy. These are clauses built into policies that protect insurance companies from having to pay out in the event of an act of war such as an invasion or terrorism which could naturally lead to some very expensive claims.
But, a source close to Hiscox has said that the ongoing dispute is focused on the type of insurance the law firm had and yet a third source has said that the contention has been caused by a bill presented by a disaster recovery team at PwC, drafted in by DLA Piper immediately after the attack.
No doubt the case will rumble on and on but it raises a number of overarching issues that businesses of all sizes and complexities need to be aware of.
They are as complex as they are significant. First, how can companies recover the often catastrophic effects of a cyberattack as insurance companies seek to define – or redefine – their liabilities.
Second, an unnamed cybersecurity expert at a City law firm says that ‘Insurance policies have very specific requirements around how a company has to behave in the event of a cyberattack, which often boards forget about in a crisis situation.’
The DLA Piper – Hiscox dispute could well lead to more pressure on insurers as businesses look to strengthen their cover with another unnamed cybersecurity expert at another City law firm saying that insurers are even looking to ‘buy back’ certain clauses from their policies amid the increased panic.
In a report from Lloyd’s of London, cybercrime costs businesses $400 billion a year as attackers look to access information that can be exploited.
Are Boardrooms Prepared?
According to John Ludlow, Chief Executive of Airmic, a representative body promoting the interests of corporate insurance buyers and those involved in Enterprise Risk Management, ‘traditional corporate governance principles on their own are inadequate in the face of digital transformation.’
He says that while business innovation is at the same time exciting and unpredictable, the inherent risks all businesses face happen at break-neck speed and how the responses are handled can mean the difference between sustainable success and failure.
Airmic commissioned a report from the CASS Business School called, rather dramatically, Roads to Revolution and while it was generally positive, it did warn that organisations cannot continue to manage risk as they have done in the past and expect to remain successful.
He suggests that a spotty, oily-haired teenage hacker can cause as much economic damage as a tropical storm and when you throw in the collateral damage caused by social media and a battered reputation, the challenges we face today are far, far more acute than they’ve ever been.
‘Board members need to understand that traditional resilience measures alone are insufficient in the digital age.’
Good governance is even more important in the cyberage. Put in its simplest terms, there are a whole lot of emerging risks out there that could flatten a company unless they are identified, understood and overseen.
It’ time to change the culture of risk management to actually include the risks we have, not the risks we had…
To talk to us about cybersecurity and all things cloud, email us today on firstname.lastname@example.org or call 020 7078 0789.