Force Majeure – Cyber Security Insurance

Force Majeure – Cyber Security Insurance

As we look back on the cyber attacks of the past year, one recurring theme was that there was no way the hacked companies could have expected or prevented the attacks that hit them. In legal parlance, the concept of reasonably unexpected and unstoppable events that disrupt a business and its contracts is called force majeure.

With that position, many of the hacked companies, prior to being attacked, purchased cyber security insurance and then proceeded to cut investment in IT security. Their theory was that there was no point spending money for something that does not work, especially when they could just purchase insurance instead.

Cyber Attack Defense

From CA Technologies perspective, the cyber attacks in 2014 were completely predictable and survivable. There was and is nothing new about the methods used in 2014 to attack targets. We saw a mixture of malware, phishing and zero-day exploits to gain ownership over the targeted environments.

The use of appropriate air gaps in the design of IT, proper network design, segregated data, identity management, encryption and backup/recovery systems would have mitigated most of the reported issues.

The common themes among the companies breached by the 2014 cyber attacks were a total lack of preparedness for the attacks, and a lack of visibility into IT governance. This lack of visibility could be laid at the feet of the security auditors responsible for reporting on and recommending appropriate actions to mitigate clearly obvious risk.

IT Auditors: Blind or Pragmatic?

The suggestion to senior management that IT risks could be mitigated by insurance – rather than appropriate reworking of technology and security processes – could and should be punished as professional malpractice and malfeasance. The auditor community has first-hand familiarity of the consequences of these types of attacks, as well as the proper mitigations, all of which are codified in standards such as ISO 27001.

On the other hand, IT auditors are driven by the data provided to them by the IT operations managers they interact with. One of the sad truths about IT these days is that data sets are incomplete or non-existent when it comes to providing required data to auditors and regulators. Auditors are faced with the Faustian choice of not signing off on an audit report, or presenting a blind eye to the obvious problem of non-existent security or visibility into IT governance.

Data Breach Consequences

The recent lawsuits against many companies for willful negligence in the protection of personal identifiable information (PII) prove this last point and confirm the fallacy of a force majeure defense argument.

I believe that cyber-warfare insurance will be hard to come by in 2015 as insurers begin to understand that the transference of risk they accepted virtually guarantees a payable loss claim due to the negligence of their customers.

The Way Forward

It is clear that the entire nature of governance, risk and compliance (GRC) needs to be reworked to provide appropriate guidance to the CEO and Board of Directors when it comes to cyber defense.

Those who choose to buy cyber security insurance rather than fix poor security will most likely see legislation this year to punish such behavior.

As a vendor in the cyber defense space, we learned a lot from the intrusions last year and will use that information to produce better products and improve our GRC integrations to help IT, auditors and senior management protect themselves from the ever present waves of cyber attackers.

To view or add a comment, sign in

More articles by Walter Bioch

  • Secured your holiday?

    Secured your holiday?

    A lot of people enjoy their holiday in this time of year. I have planned mine and we will leave our home locked before…

  • Secured Holiday

    Secured Holiday

    A lot of people enjoy their holiday in this time of year. I have planned mine and we will leave our home locked before…

    1 Comment
  • What is Intelligent Identity and Access Management?

    What is Intelligent Identity and Access Management?

    What is Intelligent IAM? Intelligent IAM (IIAM) encompasses all the administrative processes used in Identity and…

  • Support your (internal) customer

    Support your (internal) customer

    In companies, business-oriented approval procedures are becoming increasingly important in the context of granting…

    1 Comment
  • More Media, More Identity Problems

    More Media, More Identity Problems

    It’s not a secret, media is changing fast. Every day new and exciting mobile devices and ubiquitous online access…

  • What’s the Goal for IT Leaders: Security or Compliance?

    What’s the Goal for IT Leaders: Security or Compliance?

    It’s a tough question for many organizations – is it more important to be compliant or to prioritize energies on…

  • Need an IAM Solution? Make Sure It Has the Right Foundation

    Need an IAM Solution? Make Sure It Has the Right Foundation

    In today’s highly distributed IT world, where organizations must secure a complex web of on-premises and SaaS…

  • Why Cybersecurity Is Critical To Your Business

    Why Cybersecurity Is Critical To Your Business

    All companies collect information about their customers. It’s how they determine what people want and how best to serve…

  • Dropping Like Dominos

    Dropping Like Dominos

    By now, you’ve all seen the headlines: Dropbox was breached well over four years ago and just now the true impact of…

  • Flood of identities

    Flood of identities

    A couple of years ago, we got into identity management especially to the employees of the company. And then more…

Insights from the community

Others also viewed

Explore topics