Denial of Service Attack Tests Cyber Insurance Products – What Does Your Policy Say? (Part 2)
The distributed denial of service attack (DDoSs) on October 21 against Dyn impacted Twitter, Airbnb, Netflix, Spotify, The New York Times and many more websites of small and large businesses alike. Although most articles list a few brand names, hundreds of companies across business sectors felt the attack directed at one shared Internet service.
The attack is estimated to have caused US $110,000,000 in total business interruption (BI) loss, with much of this cost borne by insured policyholders within coverage deductibles.1
This event provides a great opportunity to test your Cyber policy. Would you cover the BI loss?
How does your policy respond to a denial of service attack that is not directly aimed at your insured's network but still interrupts your insured’s business?
A denial of service (DoS) attack typically targets a particular company network to impede operations at that company. One type of DoS is a distributed denial of service (DDoS) attack, which involves a multitude of connected devices inundating a target “with junk data blocking legitimate users.”2 That is what happened on October 21. But what made the attack notable for this discussion was that it targeted Dyn, a service that “directs” Internet traffic (“tens of millions” of IP addresses) to over 1000 website domains.3 That flow of web traffic – and customers – to those businesses was impeded. A combination of factors made the attack “one of the largest DDoS events known.”4 For our purposes, it demonstrated how an attack directed at one business can indirectly impact a multitude of unrelated businesses.
How does this “direct vs. indirect” attack distinction matter to your insurance product? Based on an analysis of available information, almost all policies with BI provisions in the small business marketplace cover a denial of service attack aimed at the policyholder’s computer system for that policyholder’s lost income. However, many do not appear to cover an attack on a third-party system (such as Dyn) that ultimately causes an interruption for your policyholder. To the insured policyholder, it’s still an interruption with lost income, but the indirect nature of the attack matters to coverage under many insurance products. And, from a practical standpoint, the indirect scenario is more likely than an organized direct attack on a small business.
To find how your policy responds to a denial of service attack like the one here, check these provisions:
- Business Interruption - Some BI clauses require that the insured's lost income be a “direct” result of the attack or covered event. Will that language preclude coverage when the interruption is an “indirect” outcome of an attack on another entity?
- Definitions - Denial of Service Attack, Computer Attack, Covered Cause of Loss, Incident - The terms vary, but many definitions end up at the same place: the attacks must be directed against or designed to impede access to the insured’s computer system. In other words, the insured must be the target, and not just a victim. In contrast, a few policies add that the event can be a "specifically targeted attack or a generally distributed attack."
- Exclusions - Internet, General Denial of Service Attack - Some forms rely on exclusions to communicate or reinforce intent. The policy may exclude loss arising from the Internet, an Internet service provider or another party's computer system. Yet another approach is to exclude attacks "not directed principally" at the insured, or that generally affect computer systems or networks.
What does your policy say? There is no right or wrong answer. What matters is if you expect one answer but your policy provides another. You might prefer to cover such an attack over fielding calls from angry policyholders, or you might want to avoid this type of accumulation exposure. Either way, you will know what is actually in your policy and can decide if that is what you ultimately want from your policy. Of course, many policy provisions affect BI coverage; the waiting periods and deductibles in many policies are why the October 21 attack did not result in more insured loss. However, the general vs. specific attack language can shut the door before you get into the specifics of the interruption.
We take policy language seriously here at Gen Re. Carriers want forms to match intent. Clear language prevents delays, unexpected claims and costly litigation. It’s not a matter of form over substance; it’s a matter of the substance being in the form. If we can help you evaluate Cyber policy products and trends, give us a call. Our Cyber team can help you find the answers.
With thanks to my former colleague, Wendy Woolf, who contributed to this article.
- "From Disaster Scenario to Reality: Modeling the Dyn Cyber Attack," AIR In Focus blog, October 27, 2016.
- "Dyn Says Cyberattack Has Ended, Investigation Continues," Wall Street Journal, October 24, 2016.
- Ibid at Note 2.
- Ibid at Note 2.