The recent US presidential election raised the specter of nation-state cyber attacks into mainstream awareness like never before. Despite the attention it garnered, however, there is still some ambiguity about what actually constitutes a state actor in the context of cyber attacks.
The definition of state actors has become muddied in the last few years, as we have seen with ransomware becoming a state-sanctioned economic development activity for some countries. The United States is one of the few countries that does not use its offensive/defensive cyber security resources for the defense of the commercial sector and therefore limits benefits to national defense and the protection of government assets.
As it stands today, it is unclear what a state actor is other than an intrusion that is definitively attributed to an off-shore actor. Cyber intruders now use in-country assets to mask their location, making attribution challenging. If the state actor has a grudge that they want to air, then they will use their own addresses to get their message across to the company and government.
So where does this leave private firms? Does cyber security insurance provide any recourse for organizations breached by state actors, rather than cyber criminals?
Cyber Security Insurance for State-Sponsored Attacks
The nature of the attacker alone does not provide a legal shield of liability. The victim must demonstrate competence in securing their environment. They must show they’ve taken proactive steps to limit losses. This includes actions like changing passwords, disabling unused accounts, limiting use of administrator accounts like domain administrator, doing vulnerability scans and patching systems.
If an organization simply tries to tick the regulatory compliance checkbox, then they can start with the force majeure story. However, under the eventual bright light of legal prosecution, they will lose their case and their cyber security insurance will not pay off.
In cases where the victim was truly “buttoned up” and was hit by a competent nation-state attacker, there are little to no legal consequences. The term buttoned up refers to a victim who prepared for a cyber attack. Such organizations operate under the operational principle of “acceptable losses”. Convenience and security were examined and balanced on a regular basis via a formal process.
Just because a nation state is the attacker one cannot make the conclusion that it is a force majeure event. But with proper processes and technology (i.e. privileged identity management, patch management, and intrusion detection) risks can be limited.
If you like this topic, please leave a comment below and follow us on Twitter.