Attacks on Networked Devices Raise Uncertainties for Business Interruption Policies

Most people are aware of the risks post by the IoT, but few are prepared. In a report released last month, Cisco warned that supply chain attacks are “increasing in velocity and complexity,” cautioning that the attacks can “impact computers on a massive scale and can persist for months or even years.”[1]

Last year, the Ponemon Institute surveyed 553 individuals who have a role in risk management in industries such as financial services and healthcare to understand organizations’ level of preparedness for the IoT risks.[2] While 76 percent of respondents think that a DDoS attack is likely to occur in the next two years, only 44 percent say their organizations have the ability to fend off IoT attacks. A whopping 77 percent of respondents don’t consider IoT-related risks in their third party due diligence and 67 percent don’t evaluate IoT security and privacy practices before engaging in a business relationship. Many organizations are still relying on traditional network firewall to defend cyber attacks.

A DDoS attack on a cloud vendor or other internet service provider’s network can interrupt businesses up and down the supply chain, incurring massive business losses.[3] Traditional cyber policies usually don’t provide contingent business interruption coverage, and traditional business interruption coverages exclude failure of systems owned by third-party providers. Fortunately, the insurance industry is changing rapidly in response to the technology development. However, limitations still exist.

First, the limits of liability in these policies are relatively low. This is because insurers are wary of the catastrophic loss, considering that one cloud vendor or other internet service provider typically serves a significant portion of an industry. The failure of one vendor could cause billions in business interruption. Second, most policies still impose a 12-hour waiting period, during which coverage is not available. Most IoT attacks don’t last for 12 hours and even the above-mentioned attack on Dyn, the largest DDoS attack yet on a US company, was resolved in 11 hours. Companies relying on the Internet can suffer significant losses during the waiting period.

The attorneys at Slater Hersey LLP have deep experiences in negotiating complex insurance policies and litigating complicated insurance claims. If you need assistance in reviewing your existing insurance policy or proposed contracts, or you need to file a claim for your own business interruption, we are here to help. Call us today to schedule a consultation.

______________________________________________

[1] Cisco Warns of Internet of Things, Supply Chain Risk, THE SECURITY LEDGER, https://securityledger.com/2018/02/cisco-warns-of-internet-of-things-supply-chain-risk/ (last visited Mar. 12, 2018).

[2] Ready or Not, IoT Third Party Risks Are Here, HELPNETSECURITY, https://www.helpnetsecurity.com/2017/06/01/iot-third-party-risks/ (last visited Mar. 12, 2018).

[3] For example, a DDoS attack on Dyn, a DNS provider, brought down sites like Etsy, Netflix, and Twitter. A Massive Cyberattack Knocked Out Major Websites Across the Internet, BUSINESS INSIDER, http://www.businessinsider.com/amazon-spotify-twitter-github-and-etsy-down-in-apparent-dns-attack-2016-10 (last visited Mar. 12, 2018).