October was National Cyber Security Awareness month. The goal was to raise awareness about the importance of cybersecurity. That message was underscored on October 21, 2016, when attackers staged a massive cyberattack against Dyn, a company that provides services that help Internet users connect to Dyn’s customers’ websites. The attack on Dyn had the effect of disrupting access to major websites, such as Twitter, Netflix, and The New York Times, as well as perhaps lesser known but no less critical websites that many companies rely on for hosted services that they use to operate their businesses.
The attack against Dyn took the form of a distributed denial of service attack, or DDoS attack. Such attacks aim to block legitimate access to online services by flooding them with meaningless Internet traffic. Although such attacks are not new, the attack on Dyn introduced several new twists. First, the attackers did not attack Twitter and other websites that were affected; rather, they targeted Dyn, a company on whose Internet services such websites rely. Second, the attackers used malware to infect and combine numerous Internet-connected devices, such as DVRs and baby monitors, into a potent cyber weapon known as a botnet. By stringing together numerous such devices from all over the world, the attackers were able to magnify the strength of the attack. Third, the attack on Dyn created a widespread waterfall effect by making the websites of Dyn’s customers unreachable by Internet users.
Although most of the effects of the attack on Dyn were cleared up within a day, the event may offer a troubling glimpse of more powerful and disruptive attacks to come. As a consequence of such attacks in the future, companies that depend on Internet-based services could face significant disruptions. Companies could also face litigation or liability if their own customers cannot access the services they themselves provide over the Internet. It is conceivable that companies that employ Internet-connected devices with weak security that attackers are able to commandeer for malicious purposes could also face litigation, or liability.
Many companies are no doubt evaluating their cybersecurity preparedness in the event that an attack like the one on Dyn happens again. As part of the process, companies should also take a look at their insurance policies, particularly their cyberinsurance policies. Using the DDoS attack on Dyn as an example, companies should ask whether and to what extent their cyber policies would provide coverage for business interruption or liability in the event that they were impacted by a similar attack. This tabletop exercise can help risk managers and in-house counsel understand whether their companies have adequate cyber coverage for such an event, or, if not, how their cyber coverage can be improved. The following are some starting points to consider.
Dependent Business Interruption Coverage: As noted above, the DDoS attack on Dyn had a disruptive effect on its customers’ websites. Cybersecurity policies often include coverage for business interruption, but not all cyber policies include dependent or contingent business interruption coverage; such coverage applies in the event that a company that provides services to the insured experiences a cyberattack that in turn impacts the insured’s operations. Even when cyber policies provide such coverage, they often require service providers to meet certain conditions, such as being listed by name in an endorsement to the policy. Insureds should consider whether their cyber policies would afford business interruption coverage in the event that an attack on a service provider disrupts the insured’s operations and whether any requirements for service providers are satisfied.
Coverage for the Inability of Customers to Access: The attack on Dyn blocked customers from accessing Internet-based services. With this in mind, companies that provide such services should query whether their cyber policies would respond to suits by their customers alleging that they were unable to access the companies’ website or network. Policies, such as error and omissions policies marketed to companies that provide Internet-based services, often include such coverage. As discussed below, this coverage should be read in conjunction with any contractual liability exclusions in the policy to ensure that it is not improperly limited.
Trigger: It is not enough to know that a cyber policy offers a certain type of coverage. As with any insurance policy, it is crucial to understand what events trigger coverage. But unlike many types of coverage, which have become more or less standardized over time, cyber policies often differ in the way that they describe triggering events. The attack on Dyn was a DDoS attack. A crucial question for insureds to ask is whether a DDoS attack on a service provider would trigger coverage. Some policies specify that DDoS attacks trigger coverage while others do not.
Definitions: At the core of any cyber policy are the definitions of certain key terms such as “computer system” and “network.” The use of Internet-connected devices in the DDoS attack on Dyn raises the question of whether such terms encompass Internet-connected devices. It is surprising to see the many ways that cyber policies define terms such as “computer system.” Some definitions are broader than others. It is thus important to consider whether the definition of computer system (and similar terms) encompasses Internet-connected devices and otherwise adequately describes the insured’s computer system.
Exclusions: Dyn is frequently described as providing services that are part of the Internet’s infrastructure. Many cyber policies contain exclusions that relate to electrical or telecommunication infrastructure failures. Some exclusions, depending on wording, may extend to interruptions or outages of the Internet. Although such exclusions may not be intended to apply in a situation like the attack on Dyn, such exclusions should be narrowly drawn to limit attempts to apply them broadly.
Another exclusion found in many cyber policies precludes coverage for violations of any state or federal law concerning the transmission of unsolicited information. The attackers that attacked Dyn used Internet-connected devices owned by others to flood Dyn’s servers with junk Internet traffic. The possibility that the unsuspecting owners of such devices may face liability is remote. But policies with exclusions that may apply to unsolicited information should nevertheless contain an exception preserving coverage in situations where an attacker uses an insured’s systems to perpetrate a DDoS attack.
Any contractual liability exclusions should also be reviewed. Such exclusions in cyber policies vary from policy to policy. Some are limited to assumptions of liability while others apply broadly. For companies whose customers may be unable to access the companies’ website or network during a DDoS attack, the contractual liability exclusion should contain a carve out (or be omitted altogether) to preserve coverage in such instances.
In short, the DDoS attack on Dyn is a reminder that the cybersecurity threat environment is constantly evolving. But cyberinsurance policies may not necessarily be keeping up with the latest cybersecurity developments. It is thus important for insureds to periodically review their cyber policies to determine whether and to what extent they may respond to the latest cybersecurity threats. Insureds can do this by testing major cybersecurity events that make the headlines against the terms of their cyberinsurance policies. Using this exercise, insureds can develop a better understanding of what their cyberinsurance policies cover and whether they need to take steps to enhance their coverage.