Allegory is a powerful tool to explain a complex topic or summarize it, so many times I explain that Information Security should be like the atmosphere – it should be transparent (not felt, not bothering), it should prevent bad things (asteroids = malware/other attacks) from coming in, and prevent good things (like oxygen = sensitive/confidential data) from getting out.
About the ability of cyber insurers to avoid paying due to a cyberwar act claim
Following the news article from below – it is no news that insurers try to avoid paying, but their stand of not paying due to cyber war acts will not stand, in my opinion.
For a cyber act and/or malware, to be officially declared, in our digital anonymized worlds, as originated from a specific country and intended to be an act of war – I guess only other governments or unions of governments (e.g. UN, NATO) can declare that, and such declaration may have severe consequences, like… ahhmmm… starting a war… – so the insurers’ ability to avoid paying for this reason, is, I think, close to zero (although it may be a true fact in reality and they may be right in their claim, but they won’t be able to prove it)
“Merck Settles NotPetya Insurance Claim, Leaving Cyberwar Definition Unresolved“
Cyber attacks are more certain than fire and theft risks for businesses
The insurance company Aviva conducted a research about cyber risks and one of its main conclusions was:
“
… the research found that businesses are 67% more likely to have experienced a cyber incident than a physical theft and almost five times as likely to have experienced a cyber attack as a fire.
“
If the numbers are real and it not just a PR to sell more cyber insurance – then I think it is a landmark in the history of information security – a major “upward” step in the risks ladder, getting closer to certainty in the probability scale.
As I always say – much of our work in cybersecurity is not technical, it is fighting repression, the mentality pushback by humans we work with about dealing with digital risks, and this research may help us by having a statistical evidence that cyber risks are not accidental, they are intentional (be it either a personal or generic targeting) and they are bound to happen, to only question is if we will do something about it.