On October 8, 2014, the Department of Homeland Security reported that over the course of several months, the network of a large critical manufacturing company was compromised. According to the ICS-CERT Monitor, the compromised company is a conglomerate that acquired multiple organizations in recent years, resulting in multiple corporate networks being merged. The Department of Homeland Security concluded that these mergers introduced latent weaknesses into the company’s network, allowing hackers to go largely undetected for a significant period of time.
The incident raises some issues for cyber insurance. That the incident occurred over several months suggests that trigger dates for cyber insurance be examined. The reported attack is an example of why certain policyholders should look for policies that cover system intrusions occurring over significant periods of time. Policies limiting their coverage to events occurring during the contractual period (or to a short prior period) can be unduly restrictive. This can be especially important where coverage is sought for Advanced Persistent Threats, where hackers often “footprint” the organization for a considerable period of time before even attempting infiltration.
Further, corporate mergers and acquisitions can complicate not only network security but insurance coverage as well. While merging the networks of different organizations can lead to security weaknesses, it can also lead to coverage gaps. For example, policies that restrict coverage to the networks of a particular insured party may, after a corporate transaction, no longer apply to the corporate network, or the liabilities and losses of a surviving entity. Thus, corporate transactions may be a time not only for evaluating information security risks, but for determining whether existing insurance extends to those exposures.