Force Majeure – Cyber Security Insurance

As we look back on the cyber attacks of the past year, one recurring theme was that there was no way the hacked companies could have expected or prevented the attacks that hit them. In legal parlance, the concept of reasonably unexpected and unstoppable events that disrupt a business and its contracts is called force majeure.

With that position, many of the hacked companies, prior to being attacked, purchased cyber security insurance and then proceeded to cut investment in IT security. Their theory was that there was no point spending money for something that does not work, especially when they could just purchase insurance instead.

Cyber Attack Defense

From CA Technologies perspective, the cyber attacks in 2014 were completely predictable and survivable. There was and is nothing new about the methods used in 2014 to attack targets. We saw a mixture of malware, phishing and zero-day exploits to gain ownership over the targeted environments.

The use of appropriate air gaps in the design of IT, proper network design, segregated data, identity management, encryption and backup/recovery systems would have mitigated most of the reported issues.

The common themes among the companies breached by the 2014 cyber attacks were a total lack of preparedness for the attacks, and a lack of visibility into IT governance. This lack of visibility could be laid at the feet of the security auditors responsible for reporting on and recommending appropriate actions to mitigate clearly obvious risk.

IT Auditors: Blind or Pragmatic?

The suggestion to senior management that IT risks could be mitigated by insurance – rather than appropriate reworking of technology and security processes – could and should be punished as professional malpractice and malfeasance. The auditor community has first-hand familiarity of the consequences of these types of attacks, as well as the proper mitigations, all of which are codified in standards such as ISO 27001.

On the other hand, IT auditors are driven by the data provided to them by the IT operations managers they interact with. One of the sad truths about IT these days is that data sets are incomplete or non-existent when it comes to providing required data to auditors and regulators. Auditors are faced with the Faustian choice of not signing off on an audit report, or presenting a blind eye to the obvious problem of non-existent security or visibility into IT governance.

Data Breach Consequences

The recent lawsuits against many companies for willful negligence in the protection of personal identifiable information (PII) prove this last point and confirm the fallacy of a force majeure defense argument.

I believe that cyber-warfare insurance will be hard to come by in 2015 as insurers begin to understand that the transference of risk they accepted virtually guarantees a payable loss claim due to the negligence of their customers.

The Way Forward

It is clear that the entire nature of governance, risk and compliance (GRC) needs to be reworked to provide appropriate guidance to the CEO and Board of Directors when it comes to cyber defense.

Those who choose to buy cyber security insurance rather than fix poor security will most likely see legislation this year to punish such behavior.

As a vendor in the cyber defense space, we learned a lot from the intrusions last year and will use that information to produce better products and improve our GRC integrations to help IT, auditors and senior management protect themselves from the ever present waves of cyber attackers.