Cyber insurance between the lines
It's a security professional's nightmare. Not a new virus or worm. Not a hacker from outside trying to penetrate perimeter defenses. Not even an attempted denial of service attack. The nightmare scenario is the "Jayson Blair" syndrome -- the trusted insider gone bad.
That can mean stealing information, destroying files, or virtually shutting down an entire company through the use of a Trojan horse or logic bomb. There are some attacks for which there is no perfect defense. Perimeter defenses don't work against insiders. Validation procedures may not work where the user can legitimately log in as root. Checks and balances, such as the "two person" rule, work only when properly implemented and rigorously adhered to.
So, we prevent the harm we can prevent, and insure against the harm we cannot prevent -- right? Do "computer crime" insurance policies make sense? The answer is, it depends.
Consider this cautionary tale from the United States Court of Appeals for the Fourth Circuit in Richmond, Virginia in late April illustrates this problem. Like most companies, NMS Services Inc., a software development company, had insurance. It had the kinds of insurance typical companies have; but like most companies, it did not have special "cyber insurance."
They hadn't counted on their systems administrator, John Powell. While still an employee of NMS, Powell wrote a series of "back door" programs that allowed him access to the NMS systems and decrypted passwords. You already know what happens next. After being fired from NMS, Powell accessed the NMS computer systems and deleted and destroyed data.
When the smoke cleared from the cyber sabotage, NMS dusted off their general liability insurance policy, and filed a claim against the Hartford Insurance company. Hartford, who also sold special computer crime policies that NMS had not bought, refused to pay. Lawsuits and appeals followed, and the lawyers descended.
The Devil in the Details
For decades the standard batch of insurance policies a company would purchase remained mostly unchanged: a typical portfolio would include employee dishonesty, general liability, fire and casualty, director and officer.
But with the advent of the Internet, companies were suddenly engaged in a brand new form of risky behavior. Virtually all of their critical information and data was now accessible by not only all of their employees, but also potentially to the world. E-commerce posed new risks of fraud, dishonesty, identity theft, destruction of property, theft of information, electronic espionage.
But insurance companies have been slow to respond to these new threats, principally because they had very little empirical data from which to generate underwriting criteria: how much to charge for insurance, what to cover, what kinds of losses are subject to claims, and what mitigation procedures would entitle clients to discounts on such insurance.
But here's a secret: most companies already have cyber insurance -- they just don't know it.
For years companies have been purchasing insurance policies to protect themselves against all kinds of fraud or theft -- whether committed on paper, or through computers. For cyber insurance to be worthwhile from the insurance company's standpoint, the company not only has to develop underwriting criteria, but more importantly, it must exclude claims related to computer attacks from existing insurance policies.
Reducing the scope of insurance policies is not always an easy thing to do. Astute customers will balk -- either insisting on a reduction of premiums, or insisting that the cost of both regular and cyber insurance be no greater than what they were paying before. The trick is in deciding what is and what is not covered in the general liability insurance policy.
The Lawyers Descend
NMS had a general liability insurance policy which excluded dishonest acts of employees, but did not exclude "acts of destruction" committed by employees. Powell inserted his back doors while he was an employee, but deleted the files after he was terminated. The insertion of the back doors and password crackers was an act of dishonesty by an employee that was not covered by the insurance policy, but caused no immediate damage or loss. The exploitation of these back doors caused loss, but may or may not have constituted an "act of destruction" and may or may not have been attributable to an "employee."
It is on such details that lawsuits are made.
In this case, the victim of the cyber attack won. The federal appeals court found that NMS did have insurance that covered not only the losses resulting from Powell's exploitation of the back door, but also covered the costs of responding to the incident and the losses resulting from lost profits and business income during the downtime. The court concluded that the attack constituted a "direct physical loss of or damage to property" and covering the cost of restoring "valuable business papers or documents."
"The substantial portion of Powell's actions took place while he was still an NMS employee, making Powell, for purposes of the dishonesty exclusion . . . an employee who committed a dishonest or criminal act," the court wrote. "However, NMS's property was not only damaged, but was completely destroyed by an employee, Powell, which triggers the exception to the dishonesty exclusion."
But it was a close call, this ruling. NMS's insurance policy included a specific endorsement addressing coverage for "computers and media." The endorsement modified the underlying policy and indicated that coverage for losses involving computers must be provided under the endorsement. The computer endorsement specifically excluded coverage of any loss "caused by or resulting from [the] dishonest or criminal acts by ... any of your ... employees ... or anyone to whom you entrust the property." At the time of the destruction of the files, Powell was either an employee or a person to whom NMS had "entrusted" its property. One of the three judges deciding the case dissented in the opinion based upon this language.
Either way, the lesson from the NMS case, and the fact that it was litigated to begin with, is that companies should carefully review all of their current insurance policies.
Insurance policies typically have limitations, exclusions, inclusions and endorsements that are confusing and in some cases mutually contradictory. When we do risk assessments, we determine the most likely scenarios of attack, and the potential damages or losses resulting from these attacks. The basic rule of thumb is to first identify the risks associated with a business or process, mitigate or eliminate those risks that it is cost-effective to mitigate or eliminate (there is no such thing as zero risk), and finally, insure against those risks that it is not cost-effective to eliminate.
Find out now if you have insurance that covers both insider and outsider attack. Does it cover lost profits? Does it cover cost of reconstruction and response? Do newer policies exclude from coverage anything that is relevant to your business, and do you need more comprehensive insurance?
In this case, the court bent over backwards to read the insurance policy in a way that would give NMS the coverage that it likely thought it had. In future cases, victims of computer crime may not be so lucky. The time to prepare is now -- before the lawyers descend.
SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.