2018-06-28
大多数网络保险单并不覆盖本文所述的十项损失。
沙阿(Shah)解释说,网络保险覆盖业务中断并不意味着能够弥补利润损失。许多企业认为,在他们无法访问系统期间,造成的销售损失能够被保险覆盖;但实际上,这一损失不在保险范围之内。
他说:“如果你失去访问权限一天,无论你在这一天因无法访问设备而损失多少利润,你将获得的保险金额都是非常小的。”
伊斯科维奇(Itskovich)说,在销售旺季这一问题尤其严重。例如,一家电子商务公司在Cyber Monday(译者注:网购星期一,是指感恩节假期之后的第一个上班日的网购促销活动)遭遇业务中断,“这一天的净收入可能是年平均值的十倍,但是没有任何保单可以覆盖这种销售损失。”他解释说。
网络攻击发生后,保险公司开始计时。如果你的系统在合理的时间内恢复运行,则网络保险通常不覆盖损失。大多数保单只适用于系统停机几个小时或几天的严重情况。沙阿指出网络保险生效的平均时间大约是8个小时,而伊斯科维奇认为这个数字大概在10到12个小时。即使你在一个工作日的大部分工作时间遭遇业务中断,你的网络保险单可能也无法覆盖损失。
一些网络保险单将保险范围扩大到第三方提供商,但是很多保单还没这样做。当你在保单中定义公司时,请确保该定义包含公司的所有服务提供商。
沙阿指出:“有些保单并不覆盖第三方或承包商。请务必在公司定义部分检查是否包含第三方或承包商,这一点是非常重要的。”
沙阿以一起云存储泄露事件为例进行解释:保险是否覆盖该事件取决于具体情况。他说:“如果公司存在疏忽,犯了管理错误(没有配置亚马逊服务),那么保险不会覆盖该事件。”如果配置正确并且亚马逊在重启或其他事件中丢失了数据,则保险会覆盖该事件。
他说,保险合同通常会免除这种疏忽错误,但是有单独的网络保险能够覆盖这种管理错误。当您使用第三方服务时,请确保它们是安全的并尽可能采取正确的步骤。
沙阿说,大多数网络保险单通常不涉及财产损失或硬件替换。数字资产的保险范围通常是指计算机上的任何形式的资料损坏或丢失。如果数据或硬件被严重损坏,以至于购买新硬件来替换旧机器会更有效率,那么保险就不会覆盖这一成本了。
“人们可能会认为,如果你遭到勒索软件攻击,你就会替换计算机和服务器,但事实并非如此。”他解释说。
传统的网络保险单通常不覆盖软件更新。沙阿警告说,如果攻击发生时你的企业正在使用某个旧版本的软件,且该版本已经不再受支持,那么你可能无法恢复它了。
他说:“如果你使用的是Windows 8或者7,这并不意味着保险会将你升级到Windows 10或8。保险不是要把你带到一个比以前更好的状态,而是要让你恢复原状。”
企业高管被诱骗向外部账户汇款的BEC(企业电子邮件感染)攻击和其他形式的社会工程攻击通常不在大多数网络保单的保险范围之内。
布拉德福德(Bradford)说:“一些保单的保险范围有限,大多数保单不会考虑社会工程攻击。”他补充说,社会工程攻击与其他类型的诈骗没有太大的区别。“如果企业担心这一点(应该担心),应该通过商业犯罪险覆盖这一方面。”
伊斯科维奇警告公司不要把社会工程攻击与很多保单都会覆盖的计算机犯罪混为一谈。社会工程攻击比计算机犯罪更常发生,但并不像后者那样常被包含在保险条款中。
布拉德福德说:“如果你遭遇了数据泄露并丢失了数据,那么保险范围没有多少模糊之处。但是,如果联网汽车或胰岛素泵遭到网络攻击,或者制造设备的缺陷导致人身伤害,大多数网络保险单将不覆盖医疗费用。
他继续说,随着我们进入“万物互联”( Internet of Everything)时代,这个问题变得越来越严重。“越来越多的物品有可能造成物理伤害或人身伤害。”
虽然大多数网络保险单不覆盖这一方面,但是这种保险是可以购买的——但是你要提出这方面的要求。布拉德福德指出,这通常是在“不同状况”保单中提供的,或者可以添加到普通的网络保险单中。
沙阿指出,虽然人身伤害往往不被覆盖,但一些保单覆盖情绪困扰。例如,如果你的医疗服务提供商遭到黑客入侵,导致你的敏感数据被公开,那么你可以因与事件有关的情绪困扰而获得赔偿。
当一家公司遭遇信用卡数据泄露事件时,网络保险单通常涵盖通知客户和监管机构的费用,但是不覆盖支付卡行业(PCI)签发的罚款和处罚。
沙阿说,当公司决定处理支付卡数据时,需要同意某些规定。如果你违反了这些规定,则需要承担进行某些评估的费用。包括万事达卡、美国运通卡和维萨卡在内的主要信用卡提供商将派出一个取证小组来查明发生了什么事情,并收取取证费用和其他费用。
他解释说:“你不遵守规定的每一天,都会面临罚款。这些罚款在保单覆盖或者不覆盖的通知费用之外。”他敦促企业询问这一点,以确保拥有最全面的保险覆盖范围。
随着需求不断增长,知识产权盗窃和声誉损失的覆盖成为一个棘手的问题。布拉德福德说:“对于保险公司来说,这两者都是非常困难的,因为很难量化损失。”
目前的保险范围“非常有限——几乎还处于测试阶段。”他继续说。对于该问题,保险公司已经规避了一段时间,之后将不得不解决。如果他们不提供这种类型的保单,客户可能会转向提供此类保单的竞争对手。
他补充说:“很多公司认为,在网络空间运营的最大风险之一是声誉影响。”
布拉德福德说,大多数企业还没有意识到,如果成功的账户劫持攻击从他们的账户中转走了资金,银行将不会承担损失。目前已经有这方面的保险了,企业需要进行了解。他预计,随着越来越多的人受到这类攻击,这一领域将会继续发展。
《10 Costs Your Cyber Insurance Policy May Not Cover》
All the things you might think are covered but that don't actually fall under most policies.
Business interruption coverage isn't meant to cover lost profit, explains Shah. Many organizations think they are covered for everything they would have sold during the time they lost access to systems, but in reality, they won't be covered for the profit they would have made.
"If you lose access for a day, whatever profit margin you would've lost in that day for not being able to access equipment, you will get coverage for … it's a very small amount," he says.
This is especially problematic during profitable times of the year, says Itskovich. For example, consider an ecommerce company with a business interruption on Cyber Monday. "The clear net income could be ten times the annual average but no policy will cover that," he explains.
After a cyberattack occurs, the clock starts ticking. If your systems are back up and running within a reasonable timeframe, cyber insurance coverage generally will not apply. Most policies only kick in for critical situations in which systems are down for several hours or days. The average for cyber insurance is about eight hours of downtime, says Shah, and Itskovich ballparks the number around 10- to 12 hours. Even if you encounter business interruption for most of the workday, you may not be covered by your cyber insurance policy.
Some cyber insurance policies extend coverage to third-party providers, but many do not. When you define your company in your policy, be sure the definition includes any service providers your business uses.
"There are coverages out there that don't extend coverage to third parties or contractors," Shah points out. "It's very important to check that coverage does include them in the definition of the company itself."
Shah explains this in the context of a cloud storage leak: whether you receive coverage in the event of a leak depends on the situation. "If the company is found to have been negligent and there was an administrative error on their part for not configuring Amazon services, then coverage would not be there," he says. If configuration was done properly and Amazon lost data in a reboot or another incident, there would be coverage.
Typically this kind of negligent error is excluded from contracts, he says, but there is separate cyber insurance that covers this type of administrative mistake. When you do work with third-party services, make sure they are secure and taking the right steps as often as possible.
Most cyber insurance policies typically don't cover property damage or hardware replacement, says Shah. Digital assets coverage typically includes any kind of corruption or loss of material on a computer. This can be problematic if the data or hardware is so corrupt that it's more efficient to purchase new hardware and toss the old machine.
"People might think if you have ransomware, you'll get computers and servers replaced, but that isn't the case," he explains.
Traditional cyber insurance policies typically don’t cover new versions of software, either. If your business is using a very old edition of a certain software when an attack hits, you may not be able to get it back if it's no longer supported, Shah cautions.
"If you're using Windows 8 or 7, it's not meant to get you to Windows 8 or 10," he says. "[Policies] aren't meant to get you to a place that's better than where you were before. They're meant to get you back to where you used to be."
Business email compromise (BEC) attacks, in which executives are tricked into wiring money into outside accounts, and other forms of social engineering are not typically covered under most cyber insurance policies.
"A few policies have limited coverage but most will not respond to that," says Bradford, adding that social engineering isn't very different from other types of fraud. "If it's a concern, and it should be, [businesses] should make sure it's covered in commercial crime coverage."
Itskovich warns companies not to lump social engineering in with computer crime, which is covered under many policies. Social engineering happens more often than computer crime but isn't as commonly included in insurance policies.
"If you have a data breach and lose data, there's not a lot of ambiguity there," says Bradford. However, if a cyberattack hits a connected car or insulin pump, or a bug in manufacturing equipment leads to physical harm, most cyber insurance policies won't cover medical costs.
The issue is becoming bigger as we move into the "Internet of everything," he continues. "Increasingly connected objects have opportunities to cause physical damage or bodily injury."
While it's not available in most cyber insurance policies, this type of coverage can be purchased - but you have to know to ask for it. Bradford notes it's typically provided in "different conditions" policies or can be added to a regular cyber insurance policy.
Shah points out that while physical bodily injury is often not covered, some policies will cover emotional distress. If, for example, your medical provider is hacked and sensitive data is made public, you may receive compensation for emotional distress related to the incident.
When a company is hit with a credit card breach, cyber insurance policies often cover the process of notifying customers and regulators. They do not cover fines and penalties issued by the Payment Card Industry, which imposes its own fees following breaches.
When you decide to process payment cards as a company, you agree to certain rules, says Shah. If you violate those, there might be certain assessments you might be responsible for paying. Major card providers including Mastercard, American Express, and Visa will send in a forensics team to figure out what happened and charge for that, plus additional costs.
"Every day you're out of compliance they issue a fine," he explains. "Those are all in addition to notifications that your insurance program may or may not cover." He urges businesses to ask about this to ensure they have the fullest coverage, especially if this is an exposure they have.
Intellectual property theft and reputation damage are tricky coverage areas with growing demand. "Both of those are really difficult for insurers because it's hard to quantify the loss," says Bradford.
Right now coverage is "very, very limited - almost a kind of beta-experimental sort of basis," he continues. It's something insurers have avoided for a while but will be forced to address. If they don't offer this type of policy, their customers may take their business to competitors who do.
"It's perceived as one of the largest risks to doing business in cyberspace in a lot of companies, is that reputation impact," he adds.
Most businesses don't realize banks won't cover them if a successful account-takeover operation drains money from their account, says Bradford. Coverage is available for this, but it's something businesses need to seek out. He anticipates we'll see this area continue to develop further as more people are hit with these types of attacks.
附件:
《10 Costs Your Cyber Insurance Policy May Not Cover》--原文.pdf
《10 Costs Your Cyber Insurance Policy May Not Cover》--译文.pdf
微信公众号