The Gaping Holes In Cyber Insurance

Cyber insurance should be understood as a societal problem, not just a business problem, says a treatise from the Carnegie Endowment. Some fundamental concepts, like war and terrorism exclusions, need to be rethought, and the possibility of government as financial backstop should be taken seriously. One complicating factor, one of many that results in coverage gaps and/or triggers litigation, has to do with “attribution” – that is, identifying the source of the breach. Not only is it difficult technically, but it’s difficult with regard to how one characterizes the actor. Criminal extortionist, high-tech vandal, agent of the state, somewhere in between, or none of the above? Another difficulty is defining conditions under which a war or terrorism exclusion should apply. Should it be only in the context of a conventional (“kinetic”) conflict?” Should it include an incident where the breach is intended only to steal data or gather intelligence for possible future use (what the U.S. military has termed “operational preparation of the environment”)? Questions such as these reflect the changing nature of warfare, at least some of it, and suggest, so it is argued, that a hypothetical catastrophe exclusion would be “better tailored” to real world risk, and might stem what has become a reliable and growing fount of litigation. – DR