Reports this week of a staggering security flaw in processor chips from Intel, ARM and potentially other major manufacturers have prompted a new round of the (by now) age-old question: Would this be covered by cyber insurance?
The Intel Flaw
The two vulnerabilities, named “Meltdown” and “Spectre” by a team of security researchers (and apparent James Bond enthusiasts) at major tech companies and in academia who discovered the flaws, can be found in chips that have been manufactured for over twenty years. In reality, this means that the flaw exists in nearly every device you can think of, from phones, laptops and servers, to “smart” refrigerators and televisions. There are plenty of technical articles explaining the vulnerability, but in essence, this security flaw could allow a bad actor to access all kinds of data stored in the chip’s memory kernel. This article from New York Magazine does an excellent job of illustrating the possible exploit with an analogy involving Parvati, the Hindu goddess with many arms. Trust me, it makes sense.
While it is tempting to jump to the conclusion that anything involving a computer must lead to cyber insurance, the answer is not that simple. The vulnerability could cause a number of different problems, only some of which would result in cyber insurance claims.
The most straight-forward example is if a hacker is able to exploit the vulnerability in these chips and uses it to steal personally identifiable information (PII) or protected health information (PHI) or payment card information (PCI). That would be a textbook example of a data breach, and the cost of responding to the breach as well as the resulting liability should be covered by all cyber insurance policies.
What about Intel? Shouldn’t they be liable? Maybe, but that would be a secondary analysis. Cyber insurance would first respond to the breach, but as in any insurance claim, if there are other parties that are potentially liable for all or part of the loss, the insurer may seek to subrogate against them.
In this example, Intel might actually be several steps removed from the end customer. The company might have better recourse against the distributor that sold them the flawed computers, with whom they have a contractual relationship. The distributor in turn might have the ability to recover from the manufacturer who embedded the Intel chip in their device. And in all of those relationships, the parties might have agreed to contractual terms that limit their liability.
If the hacker instead uses the exploit to steal trade secrets or confidential corporate information, cyber insurance is less likely to respond. There might be some coverage for the cost of forensic analysis to determine what data was stolen, but cyber insurance rarely covers the lost value of your own intellectual property.
One certainty is that the security flaw will impact cyber insurance underwriting. The only way to eliminate the vulnerability is to update software and firmware on the impacted devices. Microsoft, Apple, Google, and others have been scrambling to create security patches to their operating systems for users to install. Intel announced that by the end of next week, they expect updates to be available for more than 90% of devices introduced within the past five years.
What Can Be Done
This is exactly why patch management is such a major area of focus in the cyber underwriting process. While they are not always this significant, software bugs and security flaws are discovered all the time. Once a bug becomes known and the patch is available, the burden shifts to the device owner to download the patch and update their device. The longer the delay, the more likely that a hacker will discover the vulnerability and exploit unpatched systems. Cyber underwriters will want to know if you have patched all vulnerable devices, and how long it took you to do that after the patches became available.
Another area of underwriting focus will be device obsolescence. Note Intel’s statement that the patches next week will focus on devices introduced in the last five years. What about older computers? Given that this vulnerability involves chips dating back to 1995, will patches be made available for them?
Manufacturers are obviously not motivated to keep updating old equipment, and it may be difficult for companies to ensure that their entire network is free of the vulnerability if they don’t migrate to newer machines. When Microsoft announced plans to stop supporting Windows XP in 2014, cyber underwriters began asking questions about how companies were handling the phase-out since those systems would no longer be able to receive security updates. This situation will certainly result in a similar underwriting focus.
The bottom line? Companies that are proactive in dealing with the chip vulnerabilities will improve their cyber security – and their ability to secure good cyber insurance.