Is it covered? Spectre and Meltdown
In this installment of our blog we ask the age-old insurance question: Is it covered?
As you may have read in our last post, two major security flaws were recently discovered in the processors that power nearly all of the world’s computers. The two techniques discovered to exploit these flaws, nicknamed Meltdown and Spectre, could allow hackers to steal data and secrets from any vulnerable computer, including mobile devices.
To put this into perspective, it is estimated that over 2 billion computers are affected (you read that correctly). Any software platform running on top of a susceptible processor is potentially vulnerable because the flaws are with the computer processor itself.
This isn’t a software bug like you might find in your operating system or browser. Nor is it a physical defect in the processor itself. Meltdown and Spectre aren't really "bugs" at all. Instead, they are methods to take advantage of the normal ways that many processors work for the purpose of extracting secrets and data. Although most major vendors by this point have rolled out patches for Meltdown, Spectre has proven more difficult to patch (although it is also harder to exploit). If you haven't already done so, make sure to patch all of your devices and software, and continue to do so regularly.
So, is it covered?
Several of our clients have reached out to ask this very question as a result of the widespread media coverage on this topic. To answer this question, it’s important to recognize that these flaws, like other technology vulnerabilities, merely provide one means by which a hacker could compromise the confidentiality, integrity, and availability of your data and systems. However, as we explained in our previous post, even though nearly every computer is vulnerable, the probability you will be impacted is very, very low. In the unlikely event it is, coverage will depend upon what data or secrets are obtained, and to what end they are used.
For example, a hacker could use the flaw to steal protected information such as passwords, personally identifiable information (PII), payment card information (PCI), or protected health information (PHI) from any vulnerable computer.
This is a textbook example of a data breach, an event that is typically covered by cyber insurance. However, what would happen if the information obtained (e.g., your password) was used to steal money from your bank account? To wipe your company's data? To send misleading e-mails to your partners? Or to gain unauthorized access to an industrial control system? Are you covered then?
Cyber Insurance must respond to more than just data breaches. Cyber insurance must respond to all cyber risk exposures.
Meltdown and Spectre, like almost every other security flaw, could result in any number of exposures including loss of funds, reputational damage and consequential loss, property damage or even bodily injury. We believe that cyber insurance should cover all cyber risk exposures, not just data breaches. We provide coverage for all of these exposures and many more. However, not all cyber insurance policies do.
If you currently have cyber insurance with another carrier, you should carefully review the coverage provided under your policy, and consider whether they adequately cover the loss scenarios applicable to your business. Data breach is often just the start.
While we would love to say that insurance will respond to every possible loss exposure, there are still many things that cyber insurance, including our own policy, does not cover. For example, it typically doesn’t cover the value of lost intellectual property or trade secrets. Nor does it cover the cost to replace affected processors or computers. I’m afraid you'll have to take this up with the manufacturer or the distributor you purchased them from.
tl;dr
Patch your systems!
Meltdown and Spectre are covered by Coalition just like any other security flaw, but only for the liability and loss types insured for in your policy.
A complete list of our coverages may be found here. C
companies providing technology products or services should also consider Technology E&O coverage for related exposures