No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Now That Lloyd’s Won’t Cover Nation-State Cyber Attacks, What Do Organizations Need to Know?

Change highlights importance of pairing cyber insurance with well-tested defenses

by Jonathan Armstrong and André Bywater
August 31, 2022
in Cybersecurity, Risk
lloyds of london

Lloyd’s of London, the world’s leading insurance market, says that cyber insurance policies it issues after March 31, 2023 will not cover most state-sponsored attacks. Cordery Compliance’s Jonathan Armstrong and Andre Bywater explore what this means for companies and how they should prepare.

It has long been the case that foreign governments have used cyber attacks to make money or to disrupt organizations in other countries. The BBC’s recent “Lazarus Heist” podcast series examined the role of North Korea in cyber attacks, while In March, President Joe Biden spoke of Russia’s role in attacks. And the UK’s NCSC has also spoken of threats from China. 

We have seen allegations that nation-states do use cyberwarfare, including ransomware, to raise money for missile programs and conventional warfare but also to spread panic and despair in the same way acts of terror have been used in the offline world for hundreds of years.

In many respects, the announcement is not a surprise. Acts of war have been excluded from conventional insurance coverage for years, too. There’s been litigation over clauses like this since at least the 1920s, and in an alert on the Ukraine war in March, we highlighted this as an area of contention. Then, we talked about the litigation involving Merck & Co. over cyber attacks with a Russian connection, and we talked about the insurance industry tightening up policy wording as a result. The recent Lloyd’s announcement is in many respects a continuation of that trend.

We know it’s tricky for some organizations to get any cyber coverage at the moment, and we also know that premiums have been on the rise. For organizations, it’s a reminder that insurance isn’t the fix to everything. It also reinforces the need for organizations to shore up their own defenses. Sure, you have car insurance, but you also have a car alarm and maybe a tracker, and you lock the doors. Cyber policies are the same; you will have to take reasonable precautions to get covered, and even then your insurer won’t pick up the tab for everything.

Attribution

The real issue with all of this however will be attribution: How can anyone be certain that an attack is state-sponsored? With specialist help, you can often say that there are indicators of nation-state involvement, but some cases we have been involved in prove to us that it’s hard to be certain. With North Korea, for example, it has been reported that North Korean IP addresses are not always used. In many cases, attackers will take over someone else’s systems to launch an attack and hide their tracks.

It’s these difficulties that are likely to lead to litigation. Once again, putting proper procedures in place will be key. To have a chance of getting attribution right, an organization will need proper and effective monitoring on its systems to assist in an investigation. It is also likely to need specialist help in analyzing that evidence. The time to prepare for an attack is before it happens, and some organizations will want to re-test their readiness plans in light of the need to gather this evidence to satisfy their insurers that a claim is in scope.

What about sanctions?

It could be that making a payment to a sanctioned individual or organization will be seen as prima facie evidence of state-sponsored involvement, depending on the nature and content of the sanctions announcement and the circumstances of the case. It is highly unlikely that any insurer will cover those payments. In all cases, it will be wise to do a sanctions check before making any payment, although as we have said, attribution will remain a difficult area and finding out who a ransomware demand is from is not an exact science either.

When does the change come in?

Lloyd’s does not require existing policies to change unless the expiry date is more than 12 months from March 31, 2023. With the way in which the market is tightening up, however, it is likely that anybody seeking to renew their policy from now on will see new terms being proposed. It will be important to look through the proposed terms and consider your risk and the steps you can take to reduce it.

What can we do?

As ever, the best strategy is to try to prevent attacks rather than relying on insurance to cover you when they do. There are some simple steps you can take to try to reduce the risk:

  • Training and awareness are key. Make sure you are raising awareness of the current heightened risk with your employees and subcontractors.
  • Make sure your cybersecurity stance recognizes the heightened risk. Patching software remains vitally important. You might want to implement a four-eyes system to make sure that somebody is independently verifying the fact that patches have been done. Despite some current attacks bypassing multi-factor authentication (MFA), it remains important, especially since many insurers won’t cover you unless you have good MFA systems in place.
  • Practice makes perfect. Breaches are inevitable, so preparation is a wise investment. This might include having good lawyers on standby, since we know that the initial hours after a breach are crucial in successfully defending claims. This is also likely to include rehearsing a breach.
  • Look in detail at contracts with vendors and other third parties. You will need to look carefully at emphasizing your processors’ obligations to let you know immediately if they suspect a possible breach. In our view, audit rights are also important. Too often, organizations are vague about cause and effect, and it can take the exercise of audit rights to get proper information.
  • You may also want to consider your position on ransomware payments and agree on a strategy in advance. 
This article was first published at Cordery.com. It is republished here with permission.

 


Tags: Cyber RiskRansomwareRisk Assessment
Previous Post

DOJ Rules Coming on Web Accessibility for State, Local Governments; Businesses Should Pay Attention, Too

Next Post

Dark Clouds: Capital One Proves Financial Institutions Can’t Rely on Providers for Security

Jonathan Armstrong and André Bywater

Jonathan Armstrong and André Bywater

Jonathan Armstrong is a partner at Cordery Compliance. He is an experienced lawyer with a concentration on technology and compliance. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Jonathan has counseled a range of clients on breach prevention, mitigation and response. He has also been particularly active in advising multinational corporations on their response to the UK Bribery Act 2010 and its inter-relationship with the U.S. Foreign Corrupt Practices Act (FCPA).
André Bywater is a partner at Cordery Compliance. He is a commercial lawyer with a focus on regulatory compliance, processes and investigations. His practice has engaged both the private and public sectors. He was Brussels-based for many years, focusing on a multitude of EU issues during which time he worked across Europe and beyond. He has assisted and advised mainly European and U.S. in-house counsel and other company personnel. Further, he has also addressed a variety of legal matters in the context of EU-funded projects building the expertise and capacity of government ministries and agencies in Central and Eastern Europe and further afield.

Related Posts

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

data minimization practices_w

Ransomware Threats Are Growing. How Can Boards Protect Mission-Critical Assets?

by Jim DeLoach
December 14, 2022

As the sophistication level of cyber attackers continues to rise, there’s probably not a business on Earth that isn’t at...

dirty words

For Cybersecurity Teams, ‘Audit’ Doesn’t Have to Be a Dirty Word.

by Troy Fine
December 7, 2022

Let’s face it: Nobody wants to be audited. For the average Joe, an IRS audit is a hassle (at best)....

Third Party And Vendor Risk Management For Financial Institutions

Third Party And Vendor Risk Management For Financial Institutions

by Aarti Maharaj
November 10, 2022

The marcus evans Third Party & Vendor Risk Management for Financial Institutions conference taking place in London, UK on 1-3...

Next Post
amazon web services

Dark Clouds: Capital One Proves Financial Institutions Can’t Rely on Providers for Security

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT