For example, I work as an automotive engine mechanic for a small chain of midwestern shops. Recently we had a Tesla owner drive in for servicing a recalled suspension control arm. We were approved to do the work by Tesla and had the parts shipped directly from California. once the work was completed, we informed the customer in the waiting room, who immediately took it upon himself to "auto-pilot" the car out of the garage while it was still on the lift.
The car happily obliged, and backed itself off a lift six and a half feet to the ground in a pretty spectacular display. No one was hurt thankfully, however our shop insurance refused coverage for our damaged lift, and the Tesla owners auto insurance refused coverage as well because he was technically not driving the car at the time. The customer had to pay out of pocket for repairing his car, as well as our lift.
Given the level of dangerous stupidity they displayed, that seems like a decent enough outcome.
Wouldn't that apply to most car accidents on the road? Stupid decisions by at least one party leading to someone's insurance paying the bills?
1. You're telling me you had a vehicle up on a lift, by its wheels, and there was no chuck or gates to stop the vehicle from rolling?
2. I'm assuming you're saying the customer used "Summon" to remotely move the car.
a. Summon will immediately stop the car if it detects even the slightest bump.
b. Summon will immediately stop the car if it detects the wheels are off the ground, which is relevant because:
c. Summon moves the vehicle at like 3mph, so even if the vehicle was AWD, since most of the weight (which is distributed throughout the vehicle) is still over the lift, there is definately not enough momentum to push it off the lift.
d. I am fairly doubtful the auto insurance would not cover this, especially if the guy had comprehensive insurance.
Tesla should have accounted for this.
Secondly, Tesla specifically states that you must have the car in line of sight before you enable Summon (which only goes straight forward and backward by 25 feet), so this guy is absolutely a complete moron for doing that.
Just how explicitly is this instruction presented? For better or worse, I don't think you can expect users to read everything presented to them. (Partly because we bombard them with cookie notices, ads, and other crap)
Enhanced summon is a different story, though that feature basically no one has yet.
Good for a party trick but in general I have yet to find a good real use case for it.
Using it without being able to see your car is pure idiocy.
It's particularly hilarious when you and several buddies are watching the meter maid try to put a ticket on it. It's probably occasionally useful for adjusting a car in the driveway but yeah, it's 99% party trick.
It could theoretically be useful for attaching a trailer but most Tesla owners aren't doing that and the collision detection system will probably go crazy and prevent you from getting close enough to the trailer to actually couple it to the car.
On the other hand, if insurers know they can invoke a cyberwarfare clause and deny a claim, even if the attack may not have been state sponsored, the insurance is certainly worthless.
Of course, they're neither required nor obligated to provide such cover.
So it is easy to calculate for insurance companies, they don't go over the factory inventorying what you have in factory.
It is your responsibility. (they only go after to see what was damaged, because that i what they care about)
That's more or less the core competency of insurance providers...
My point is, that a "cyber attack" is poorly constrained, compared to something like a fire or a flood... a company only has so many assets, valued at $X that are liable to be burned to the ground or ruined by a flood, and these constraints can be modeled and adjusted for. Perhaps I am mistaken, I don't see a cyberattack as being analagous to anything else in the insurance industry.
Those are not easy things. People litigate the difference between fire and flood damage all the time. (Putting out a fire normally involves lots of water.) Sometimes flooding in building X even causes a fire in building Y. Is that covered by "fire" or "flood" insurance? The difference between various cyber attacks isn't substantively more complicated than any of the traditional insured risks. The issue is that insurers haven't invested in the experts needed to properly assess those risks. That is their problem to solve, not the customer's.
However, in this case:
> Mondelez said in a statement that while its business had recovered quickly from the attack, Zurich Insurance was responsible for honoring an insurance policy that explicitly covers cyber events.
If the FBI publicly arrests some teenager or former employee related to a company hack, and the insurance tries to use a cyberwarfare exception, then we can go grab the pitchforks.
Both sides of this are going to get tested though: does the US actually have a definition for cyberwarfare and is that the same as what's in the insurance contract? Do countries have to publicly declare cyberwar (but not necessarily regular war) on other countries for this clause to be valid? What due diligence do companies have to do to prove they weren't part of a cyberwarfare hack?
This headline is misleading though. Big Companies know what's in those contracts. Maybe this is a kick in the pants for more scrutiny of those contracts to strike things like cyberwarfare.
If Russia declared war on the US, and attacked US companies, it's pretty clear this is cyberwarfare.
If Anonymous DDoS's your website of some vendetta, because they declared "war" on your company, is that cyberwarfare? Does a declaration of war by a non-nation-state count as cyberwarfare?
If North Korea compromised your servers to mine Bitcoin, is that cyberwarfare? Does any action by a nation-state count as cyberwarfare?
This is what insurance companies do..
The same way they properly cost and provide payouts for, say, fire which might be anything from "one room got slightly scorched" to "the entire building burned down".
You could go a long way just building out a team with both underwriters and security professionals to setup baseline standards and evaluate customers against those.
But it _is_ hard on insurerers to do under-writing on cyber attacks -- UNRELATED to the "war" exemption, even non-war attacks. Because it's _new_, so they don't have all the historical data and methods for estimating risk. As others are saying, this is the business insurance companies are in, estimating statistical risk and figuring out the right premiums to charge to cover it. But the cyber stuff is new, which _does_ make it hard.
As original article says:
> Cyberattacks have created a unique challenge for insurers. Traditional practices, like not covering multiple buildings in the same neighborhood to avoid the risk of, say, a big fire don’t apply. Malware moves fast and unpredictably, leaving an expensive trail of collateral damage.
But nobody said they had to cover cyber stuff. They can put stuff in their policies saying they don't cover it at all, if they don't know how to underwrite it. What they can't do is put stuff in their policies saying they cover it, take your premiums on that basis, but then try to weasel out of it.
There are specialty insurance companies which cover specific risks and know how to evaluate them. The classic is The Hartford Steam Boiler Insurance Company. They were the first insurance company willing to insure steam boilers. About half their employees are boiler inspectors. When they started, in 1866, nobody else would touch that business.
They inspect before they insure. Typically, they send inspectors and provide the boiler owner with a to-do list. Then they come back to see if everything was fixed. Only then does HSB write a policy. Their policies give them the right to come in at any time and inspect. Which, randomly, they do.
Boring old Hartford Steam Boiler is expanding into computer systems insurance. But they are not as hard-ass about inspections as they are with boilers, unfortunately. They know how to keep boilers from blowing up. Computer security isn't there yet.
Can you share the name of the company?
When you have an attack that moves from your servers to your desktop computers, you have a network issue, which would be covered in an audit to verify you properly segment your network instead of having it in one large broadcast domain.
The open source model is benefiting too many businesses to just up and throw it out.
Get a nany state (Hello California) to force companies to have Insurance for Cyberattack.
Insurance companies will learn instantly how to do due diligence for-real (as opposed of for compliance certification) to decide if they get clients or not.
Companies then, forced to have insurance, will have to implement minimal safeguards to be accepted in the insurer policy requirements.
This company would essentially operate as the security team for clients and put in contractually enforced policies and follow through on implementation. If a client decides to not implement required security practices, then their policy immediately gets dropped.
This is the only scalable way I'd see to implement real insurance against cyber-attacks.
We’re still in beta, but we’d love feedback from HN!
I’m curious if there are cyber mitigation’s that are out there, such as mandatory two factor authentication, requiring up to date software and OSes or other measures. It seems like any insurance company would Be highly Interested in forcing these best practices.
With cybersecurity, there is an active adversary. I'm not sure insurance ever wants to take on that kind of risk. If they don't want that risk they shouldn't sell insurance.
Companies should make a solid effort to prevent the possibility, but I'm torn on what ramifications should be.
or do what the Russians do and use kompromat
Isn't this what they do and then hedge the risk by covering their potential losses with insurance?
If companies are not doing a good enough job with security, why does the cyber insurance not cost more? Priced properly, companies can choose between buying more coverage versus throwing more money at the "security problem."
Maybe telling these companies "no war was declared, so you must pay out" would be a good thing.
Insurance companies are powerful lobbyists both in the traditional K street sense, and the soft power sense.
(For the soft power sense, picture a major insurance company telling a nation state their state owned businesses can self insure moving forward, since the business cannot handle the risks they generate.)
That goes against centuries of precedence. The only difference now is that it was "on the Internet".
By extension could we deny coverage when a bunch of crackheads raid someones home, simply chalking one up to the war on drugs?