How practical is Lloyd's cyber mandate?

How practical is Lloyd's cyber mandate? | Insurance Business Australia

How practical is Lloyd's cyber mandate?

Cyber security experts are continuing to express reservations about Lloyd’s of London’s latest cyber mandate. In the wake of the ongoing Russian war on Ukraine, the mandate will force Lloyd’s managing agents to exclude state-backed cyberattacks and war from standalone cyber policies.

“This is very interesting because how do you attribute an attack to a specific nation and say this is an act of war?” said Ismael Valenzuela (pictured above), vice president of Threat Research and Intelligence at BlackBerry.

“From my perspective, as a cybersecurity expert, we can never attribute something 100% to a specific actor because what we have is digital evidence and digital evidence can be manipulated in many different ways,” said the New Jersey based cyber expert during an interview with Insurance Business Australia.

Read more: Lloyd’s state-backed cyber mandate drives "grey area" fears

Valenzuela said in cases when cyberattacks can be attributed to a particular actor it’s with, at best, a high degree of confidence.

“That’s not the same as knowing 100% for sure who is behind it,” he said. “There’s a lot of uncertainty here.”

Valenzuela gave an example of why attributing cyberattacks to a specific source is more difficult than ever before. He said BlackBerry’s threat intelligence reports typically focus on two areas of cybercrime.

“One is financially motivated cybercrimes, so the guys just looking for money as their main objective,” he said. “Then, the so called APTs, the advanced persistent threats, which are typically nation states or larger agencies backed up by governments.”

APTs, he said, often target energy sectors, intellectual property or military objectives.

Valenzuela said that, recently, the cyber criminals behind these acts are working more and more like the participants in an affiliate program.

“There are different levels,” he said. “There are [criminal] teams out there that charge money for just getting the access to a certain organization’s network.”

He compared this to illegally selling or renting the keys to house. Then another crime group could be paying for that initial access in order to do damage through a ransomware attack or the access could be purchased by a nation state.

“So how do you distinguish between the two [actors] doing this?” said Valenzuela. “Is it the one that bypassed the initial controls and got into your network first? Or the ones that came two weeks later and stole the data?”

He said there can be divergent motivations behind what he described as different “fireworks.”

In order to get to the bottom of a cyberattack and determine both who is behind it and the extent of the damage, he said, firms need to undertake “an extensive investigation which includes a forensics incident response.”

Valenzuela said the initial incident response after a cyberattack involves a team of experts trying to contain the incident, eradicate the attackers and kick them out of the network.

“Then they have to do forensics,” he said. “They take images of systems, of memory, of disks and look at what’s going on in the network and try to figure out how they got there in the first place and the extent of the damage.”

If a firm has lost control of its network, he said, it’s possible the network will need to be entirely rebuilt.

“So the extent of the damage determines the cost of recovery,” he said. “You need to do that type of investigation first.”

However, cyber insurance doesn’t usually cover that.

Read more: Which Australian industries are most targeted by cyberattacks?

Valenzuela referred to a recent case in Australia’s Federal Court on a ransomware dispute between insurance giant Chubb and automotive services firm Inchcape.

The court ruled that the victim, Inchcape, cannot claim on costs incurred in the clean-up and recovery from its ransomware attack – such as costs for forensics, incident response, and replacement hardware – because they were decisions taken by the firm rather than costs directly incurred from the attack. Therefore, they are not claimable under the firm’s insurance policy.

“It is not any ‘loss’ which is covered. It is only ‘direct financial loss’,” Justice Jayne Jagot said, as reported by IT News, that the cover “is also subject to the exclusion of any indirect or consequential loss.”

Valenzuela said, to the best of his knowledge, the fine print in insurance policies doesn’t often detail these cyber issues and the lack of coverage for the full consequences of a cyberattack.

“So that’s driving some companies to ask, why have [cyber] insurance at all?” he said.