Stuxnet was never meant for Chevron. But in 2010, the sophisticated worm escaped into the wild after debilitating nuclear power plant systems in Iran.
While the U.S. oil giant was merely an accidental victim, but no worse for wear – the malware was written so that its payload only would fire against a specific target list, in this case uranium enrichment facilities in Iran – the incident served as a wake-up call. The fact that a U.S. government-created virus could find its way into an American organization was disturbing. But it also was telling.
What lingered in the minds of many critical infrastructure operators – and those tasked with managing their ledger books – was the uphill battle that lays before them in defending their networks and systems from sophisticated attacks spearheaded by government-sponsored groups.
But, it's likely that other thoughts festered, too: Namely, what if there was another accident? What if the payload activated next time?
How would the mess be cleaned?
When cyber security insurance was first dreamed up more than a decade ago, the likelihood of a company needing financial assistance after being accidentally compromised by one of the most advanced pieces of malware ever designed wasn't considered.
Never mind the more likely possibility that a compromised firm might require financial compensation after being infected by any number of today's stealthy trojans that are built to steal coveted assets, such as customer data or intellectual property.
Cyber insurance originally was conceived as another form of risk mitigation that a company could implement for the possibility of network damage or downtime – the digital equivalent of its roof caving in. For example, recall Melissa, a 1999 mass-mailing worm that forced a number of companies to briefly shut down their email systems, but which resulted in no data theft, espionage or catastrophe.
Standalone cyber insurance policies were available around this time, but the coverage largely insured damages caused by these types of nuisance events. And policies generally were catered to emerging dot-com companies that were dependent on online business.
But, over the years, policies have expanded to include expenses associated with loss, theft and disclosure of data, as well as the costs associated with breach notifications, forensic investigations, credit monitoring services and public relations. Coverage also extends to compensating for legal claims made by impacted customers.
When deciding whether to insure a customer, brokers assess the current security procedures and policies of candidates, in addition to how vulnerable to compromise their assets might be.
As a result, many insurers aren't interested in rolling the dice when it comes to possible high-risk policy holders, while some customers enter into sticker shock when they learn the premiums they are being asked to pay.