Insureds Need To Make Sure Their Cyber Policies Cover Being Hacked By Foreign Governments
Yet another cyber crime turned out to be government action. The WSJ reports that Kaspersky Labs (the famous anti-virus company) claims the Israeli spy agency hacked into their systems with a bespoke virus that Israel also used to target (among other things) some luxury hotels hosting the Iranian peace talks.
I hope that small businesses are not big enough fish for foreign governments to bother hacking and therefore do not need to worry. Of course, that assumes that foreign governments don't decide to balance their budget with smash-and-grabs or steal treasure troves of personal information for inscrutable purposes. And at least some cyber criminals do target small business when trying to loot credit card information.
Every time I read one of these stories, I think back to a blog post I wrote last October about the war exclusion and cyber policies. Cyber policies with war exclusions often will not cover governments hacking your computers and stealing your data. And since that's a real risk these days (as the regular stream of stories about one government or another hacking people's data makes clear) insureds should make sure they get cyber policies that will cover that kind of risk.
Admittedly, it is not 100% clear that it was a government that did it. The evidence is circumstantial and governments rarely fess up. Nobody ever admitted to inventing Stuxnet, although it is widely believed to be a state-sponsored cyber-weapon. But for coverage purposes, the legal standard of proof will be "more-likely-than-not." And in light of the growing amounts of evidence, an insurer facing a mega-million dollar data breach might decide to hire some experts and try to prove that more-likely-than-not a foreign government stole the data so the insurer does not have to pay.