Lloyd’s makes the first move
In August 2022, the insurance behemoth Lloyd’s of London announced that from next Spring, they would no longer be covering the losses of nation-state cyber attacks. In a memo to their 76 insurance syndicates, they explained that although they are “strongly supportive” of cyber attack coverage, the risk from nation-state sponsored attacks is too great and too costly.
Tony Chaudhry, underwriting director at Lloyd’s, stated that all cyber attack policies will include a ‘suitable clause excluding liability for losses arising from any state-backed cyber attack.’ This will come into effect from the 31st March 2023 at the inception or renewal of each policy. Policies must also set out a robust basis on which they can attribute nation-state attacks and therein lies the issue.
Who can really PROVE attribution?
Attribution of an attack has always been a contentious issue, but with insurance brokers now deciding not to cover nation-state attacks, the stakes just got raised in a big way. When your insurance, your final safety net, appears to have some gaping holes, what do you do?
The issue of attribution is incredibly difficult due to the inherent nature and structure of the cyber-underground and it would always be argued that nobody can be certain of attribution due to the complexities and increased blurring of lines. In the past, attacks were attributed to nation-states based on their complexity and sophistication. However, with the increasing ability of independent threat actors, the prevalence of ‘hack-for-hire’ operators and volunteer hacktivists aligned with certain governments, who can definitively prove where the attack originated from?
Now it’s your turn
With attribution being so critical yet undeterminable, what can you as an organization do to combat this issue? Change insurers? Possibly. However, with the likes of Lloyd’s setting a precedent, there is no doubt others will quickly follow suit.
The ideal situation is to avoid requiring this ‘sub-par’ safety net. Insurance has always been the last line of defense and rather than facing your insurance broker in a court of law one day, arguing about attribution, why not start to think proactively? Organizations need to take this opportunity for some self-reflection. Ensuring that your own systems are as robust as possible, having a good understanding of the threat landscape and equipping your defense teams with the best tools, techniques and procedures to mitigate cyber threats is the best response. Whilst no system can ever be bulletproof, organizations with substantial Cyber Threat Intelligence stand the best chance of avoiding or surviving attacks.
More than just cast doubt
Intel 471 has an unparalleled knowledge of the cyber underground and our inimitable ‘boots on the ground’ model means we have global coverage at a local level. Let’s assume you are attacked and your insurer decides the attack can be attributed to a nation-state. It’s true, with our expertise we can certainly cast a lot of doubt on such a claim, but is the primary objective to prolong and complicate a court battle?
Instead, by understanding the threat landscape, your organization can quickly identify the most relevant scenarios where nation state attacks can be attributed and where not. Such attribution would increase your risk as you now know that your cyber insurance cannot protect you. You can then proactively implement additional preventative, detective or corrective countermeasures to reduce this risk. The same applies for a better knowledge of threat actors and their tools, techniques and procedures. In the world of cyber crime, ignorance is not bliss.
With insurance providers raising the stakes in this way, the onus is on every single organization to be as informed, protected and prepared as possible. Intel 471 can provide this window into the cyber underground, but it’s up to you what you do with the information.