nimbius 2 months ago

its pretty spectacular what major insurance does not cover in the digital context.

For example, I work as an automotive engine mechanic for a small chain of midwestern shops. Recently we had a Tesla owner drive in for servicing a recalled suspension control arm. We were approved to do the work by Tesla and had the parts shipped directly from California. once the work was completed, we informed the customer in the waiting room, who immediately took it upon himself to "auto-pilot" the car out of the garage while it was still on the lift.

The car happily obliged, and backed itself off a lift six and a half feet to the ground in a pretty spectacular display. No one was hurt thankfully, however our shop insurance refused coverage for our damaged lift, and the Tesla owners auto insurance refused coverage as well because he was technically not driving the car at the time. The customer had to pay out of pocket for repairing his car, as well as our lift.

  • justin66 2 months ago

    > The customer had to pay out of pocket for repairing his car, as well as our lift.

    Given the level of dangerous stupidity they displayed, that seems like a decent enough outcome.

    • Doxterpepper 2 months ago

      > Given the level of dangerous stupidity they displayed

      Wouldn't that apply to most car accidents on the road? Stupid decisions by at least one party leading to someone's insurance paying the bills?

  • silverwolfe 2 months ago

    This is why the first thing Tesla service does is disable mobile access while the car's in the shop.

  • yub 2 months ago

    I have a tough time believing this.

    1. You're telling me you had a vehicle up on a lift, by its wheels, and there was no chuck or gates to stop the vehicle from rolling?

    2. I'm assuming you're saying the customer used "Summon" to remotely move the car. a. Summon will immediately stop the car if it detects even the slightest bump. b. Summon will immediately stop the car if it detects the wheels are off the ground, which is relevant because: c. Summon moves the vehicle at like 3mph, so even if the vehicle was AWD, since most of the weight (which is distributed throughout the vehicle) is still over the lift, there is definately not enough momentum to push it off the lift. d. I am fairly doubtful the auto insurance would not cover this, especially if the guy had comprehensive insurance.

    • lohszvu 2 months ago

      Chucks are there to stop a vehicle from accidentally rolling or pushed away. They aren't designed to stop an electric vehicle (that has tons of low rpm torque) from being purposefully driven off.

      • olex 2 months ago

        Tesla's Summon mode has very low torque limits, it will barely make it up a slightly slanted driveway.

      • yub 2 months ago

        Like I said, Summon will immediately stop the car if it detects even the slightest bump.

    • JoshMcC 2 months ago

      Me too. Doesn't make any sense.

  • w8vY7ER 2 months ago

    auto-pilot requires the driver to be in the vehicle, i'm guessing this was the summon feature activated from their app? what a complete waste

    • Wowfunhappy 2 months ago

      If this is what happened, it's not that stupid on the part of the customer. Or perhaps better phrased, it's within the realm of what I would expect some users to do given this feature.

      Tesla should have accounted for this.

      • JoshMcC 2 months ago

        It's still _extremely stupid_ on the part of the customer (if it really happened). No smart person would begin Summon if they can't even see the car. And if they _could_ see the car _on the lift_ and still began Summon, then they're they dumbest person in the world.

      • coredumperror 2 months ago

        That feature (Advanced Summon) isn't even out yet. Only a tiny fraction of beta testers have it, so it's unlikely that this idiot has the feature.

        Secondly, Tesla specifically states that you must have the car in line of sight before you enable Summon (which only goes straight forward and backward by 25 feet), so this guy is absolutely a complete moron for doing that.

        • Wowfunhappy 2 months ago

          > Secondly, Tesla specifically states that you must have the car in line of sight before you enable Summon

          Just how explicitly is this instruction presented? For better or worse, I don't think you can expect users to read everything presented to them. (Partly because we bombard them with cookie notices, ads, and other crap)

          • JoshMcC 2 months ago

            You don't need to read anything to know you don't tell your car to move by itself if you can't see it, with current Summon. With the new Advanced Summon, you would not need to see the vehicle because it would have move protections in place. But you still wouldn't Advanced Summon the car if you don't even know where it is (e.g. still on the lift or not)...unless you're a moron.

          • sotall 2 months ago

            Its not an instruction, its a software limitation. If you aren't close enough to the car, summon doesn't work. I think its basically bluetooth range.

            Enhanced summon is a different story, though that feature basically no one has yet.

  • rabi_penguin 2 months ago

    You wouldn't happen to have captured this on video, would you? I'm not sure if this is more unfortunate or hilarious.

  • user5994461 2 months ago

    I'm not sure to understand, is there a thing to have your car drives itself home on the press of a button, from the internet?

    • throwaway2016a 2 months ago

      It lets you go forward and back. Only works if you are within Bluetooth range and keep your finger on the button in the app. If you let go the car stops. It will actually make minor turns to avoid hitting stuff. Though apparently not going off cliffs.

      Good for a party trick but in general I have yet to find a good real use case for it.

      Using it without being able to see your car is pure idiocy.

      • eclipxe 2 months ago

        I have a gym in my garage that folds up into the wall. I use summon to pull the car out of garage before a workout and pull it back in when done. It’s a small thing but something I do every night. The convenience is just a really great nice to have.

      • dsfyu404ed 2 months ago

        >Good for a party trick but in general I have yet to find a good real use case for it.

        It's particularly hilarious when you and several buddies are watching the meter maid try to put a ticket on it. It's probably occasionally useful for adjusting a car in the driveway but yeah, it's 99% party trick.

        It could theoretically be useful for attaching a trailer but most Tesla owners aren't doing that and the collision detection system will probably go crazy and prevent you from getting close enough to the trailer to actually couple it to the car.

        • coredumperror 2 months ago

          It's great for parking in cramped spaces, at least at home (where you won't get yelled at in a public parking lot). I use it daily so that I can get out of my car before parking it in my carport next to my neighbor's giant SUV.

        • Scoundreller 2 months ago

          I could see it useful to have “Tesla” parking spots that are 10% narrower to improve space utilization.

        • chris_mc 2 months ago

          Yes, humiliating other people is hilarious...

          • dsfyu404ed 2 months ago

            I assure you it wasn't nearly as big of an obstacle to the guy writing the ticket as you think it would be. Humans are very good at improvising when a new situation is thrown their way.

            • chris_mc 2 months ago

              I assure you, bothering someone like this when they are trying to get through their day is not hilarious to that person. Not only did your friend act like an ass and part illegally or over the time limit, but they then risked possibly running over a person's foot or something while fucking around.

    • spullara 2 months ago

      It has been useful for in the past to get out of a parking spot that in my absence has become too small to open the doors adequately.

    • w8vY7ER 2 months ago

      today, the public software allows you to move it backwards and forwards through the application if you're within range of the vehicle

  • JoshMcC 2 months ago

    Suspension, so you'd be lifting from the body of the car instead of the tires in order to access the components (and surely remove the wheels), right? Then how in the world would something like this happen? Need more details.

  • hbarka 2 months ago

    Sounds like a tall tale.

  • JoshMcC 2 months ago

    We need to see pics.

  • staticautomatic 2 months ago

    Your comment seems to be attracting a lot of first-time posters taking defensive positions on Tesla's behalf...

krisrm 2 months ago

This is messy. On one hand, how are insurers supposed to properly cost and be able to provide payouts for a "cyberattack", which might be anything from "our company website was DDoSed for 30 minutes and we lost 50 customers" to "our production lines were shut down and our company ground to a halt for two weeks"?

On the other hand, if insurers know they can invoke a cyberwarfare clause and deny a claim, even if the attack may not have been state sponsored, the insurance is certainly worthless.

  • arcticbull 2 months ago

    IMO this feels like the whole point of insurance. You could restate this as "how are insurers supposed to cost and provide payouts for fires in the factory? It could be anything from a tiny, contained garbage can fire to the whole place going up in a blaze! [0]" Or chemicals in the case of TSMC [1]. Or blackouts at Samsung [2]. Any of this could have been industrial espionage on the same scale as a state-sponsored cyberattack. This is the domain of actuaries.

    Of course, they're neither required nor obligated to provide such cover.




    • ozim 2 months ago

      Where I live you pay premium, let's say $50 a month and then you get let's say $10000 of your damages covered. So that is what you get from insurance company $10000 and the rest is yours to pay. They just look at the probability like "hey this guy is storing fuel, fire insurance for someone who stores fuel is $100 a month and we can pay only up to $20k".

      So it is easy to calculate for insurance companies, they don't go over the factory inventorying what you have in factory.

        It is your responsibility. (they only go after to see what was damaged, because that i what they care about)  
      Of course you can pay some insurance expert to assess your assets and tell you to buy more expensive or less expensive insurance but there are no magic super specific algorithms for "if 10 people die we pay $50k if 20 people die we pay $100k". All insurances pay up to some amount based on what is your monthly/yearly payment.
  • admax88q 2 months ago

    > On one hand, how are insurers supposed to properly cost...

    That's more or less the core competency of insurance providers...

    • krisrm 2 months ago

      Well, no argument there, but I wrote more words in that sentence that you cut off.

      My point is, that a "cyber attack" is poorly constrained, compared to something like a fire or a flood... a company only has so many assets, valued at $X that are liable to be burned to the ground or ruined by a flood, and these constraints can be modeled and adjusted for. Perhaps I am mistaken, I don't see a cyberattack as being analagous to anything else in the insurance industry.

      • sandworm101 2 months ago

        >> compared to something like a fire or a flood

        Those are not easy things. People litigate the difference between fire and flood damage all the time. (Putting out a fire normally involves lots of water.) Sometimes flooding in building X even causes a fire in building Y. Is that covered by "fire" or "flood" insurance? The difference between various cyber attacks isn't substantively more complicated than any of the traditional insured risks. The issue is that insurers haven't invested in the experts needed to properly assess those risks. That is their problem to solve, not the customer's.

        • arcticbull 2 months ago

          Agreed with everything you said, though 'its their problem to solve' should they decide to offer cyberattack coverage and sell it, otherwise it is the customers.

      • resoluteteeth 2 months ago

        If it's so hard to model then why are these insurance companies offering "cyberinsurance" in the first place?

      • pbhjpbhj 2 months ago

        Well a fire can do anything from cause a slight smell -- bread toaster or battery dropped in to a metal bin, maybe -- all the way to complete destruction of property and loss of lives, potentially ending the business. Seems relatively analogous in that respect to cyber attack?

      • arcticbull 2 months ago

        Maybe I'm misunderstanding but aren't a fire and a cyberattack both capped at 100% of the value of the company? If the fire takes out the whole place, or a cyberattack empties out an equivalent amount from their bank accounts, the difference feels immaterial.

        • thfuran 2 months ago

          What if a fire spreads to other properties not owned by the insured or destroys things on company premises but not owned by the company?

          • arcticbull 2 months ago

            Fair point, I was wrong to say 100% of the property value, though I imagine the upper bound of the damage is fairly comparable in both cyber attacks and physical attacks.

      • rolph 2 months ago

        perhaps riot or vandalism [acts of civil disobedience]

  • jrochkind1 2 months ago

    Insurers are under no obligation to offer policies which cover cyber attacks, and can even explicitly exempt them in their policies.

    However, in this case:

    > Mondelez said in a statement that while its business had recovered quickly from the attack, Zurich Insurance was responsible for honoring an insurance policy that explicitly covers cyber events.

  • 0xDEFC0DE 2 months ago

    This hinges on the US assigning attribution, and to be fair, the US probably has a better idea than an insurance company.

    If the FBI publicly arrests some teenager or former employee related to a company hack, and the insurance tries to use a cyberwarfare exception, then we can go grab the pitchforks.

    Both sides of this are going to get tested though: does the US actually have a definition for cyberwarfare and is that the same as what's in the insurance contract? Do countries have to publicly declare cyberwar (but not necessarily regular war) on other countries for this clause to be valid? What due diligence do companies have to do to prove they weren't part of a cyberwarfare hack?

    This headline is misleading though. Big Companies know what's in those contracts. Maybe this is a kick in the pants for more scrutiny of those contracts to strike things like cyberwarfare.

    • yub 2 months ago

      But the definition of "cyberwarfare" is unclear.

      If Russia declared war on the US, and attacked US companies, it's pretty clear this is cyberwarfare.

      If Anonymous DDoS's your website of some vendetta, because they declared "war" on your company, is that cyberwarfare? Does a declaration of war by a non-nation-state count as cyberwarfare?

      If North Korea compromised your servers to mine Bitcoin, is that cyberwarfare? Does any action by a nation-state count as cyberwarfare?

  • imgabe 2 months ago

    > how are insurers supposed to properly cost and be able to provide payouts for a "cyberattack", which might be anything from "our company website was DDoSed for 30 minutes and we lost 50 customers" to "our production lines were shut down and our company ground to a halt for two weeks"?

    The same way they properly cost and provide payouts for, say, fire which might be anything from "one room got slightly scorched" to "the entire building burned down".

  • jon-wood 2 months ago

    It wouldn’t surprise me if at first insurers throw their own internal security teams at this. They’re used to auditing third party systems, because insurers are constantly working with externally developed software and other companies.

    You could go a long way just building out a team with both underwriters and security professionals to setup baseline standards and evaluate customers against those.

  • repiret 2 months ago

    Auto insurers have no problem covering claims ranging from a chip in a windshield to eight car pileups with multiple fatal and life-altering injuries. The range of possible losses doesn't really make it harder for insurers. The fuzzy definition of an act of cyber war is what makes it hard for policyholders though.

    • jrochkind1 2 months ago

      Nah, what makes it hard for insurers isn't that we don't know what an "act of cyber war" is. That just comes up when they try to get _out_ of it, and the same thing comes up with non-cyber "acts of war" -- it might make it hard on customers who are trying to file claims, but it's not hard on the companies.

      But it _is_ hard on insurerers to do under-writing on cyber attacks -- UNRELATED to the "war" exemption, even non-war attacks. Because it's _new_, so they don't have all the historical data and methods for estimating risk. As others are saying, this is the business insurance companies are in, estimating statistical risk and figuring out the right premiums to charge to cover it. But the cyber stuff is new, which _does_ make it hard.

      As original article says:

      > Cyberattacks have created a unique challenge for insurers. Traditional practices, like not covering multiple buildings in the same neighborhood to avoid the risk of, say, a big fire don’t apply. Malware moves fast and unpredictably, leaving an expensive trail of collateral damage.

      But nobody said they had to cover cyber stuff. They can put stuff in their policies saying they don't cover it at all, if they don't know how to underwrite it. What they can't do is put stuff in their policies saying they cover it, take your premiums on that basis, but then try to weasel out of it.

burtonator 2 months ago

It might actually be a good thing in the long term as insurance companies may require 3rd party audits and that you comply with basic security practices.

  • Animats 2 months ago

    More like in the short term. A friend of mine just got a job at a SF startup for that. They're a consultancy which evaluates computer security for insurance companies, before they insure a business. She used to work on AI for intrusion detection, so they're hiring serious people for this.

    There are specialty insurance companies which cover specific risks and know how to evaluate them. The classic is The Hartford Steam Boiler Insurance Company.[1] They were the first insurance company willing to insure steam boilers. About half their employees are boiler inspectors. When they started, in 1866, nobody else would touch that business.

    They inspect before they insure. Typically, they send inspectors and provide the boiler owner with a to-do list. Then they come back to see if everything was fixed. Only then does HSB write a policy. Their policies give them the right to come in at any time and inspect. Which, randomly, they do.

    Boring old Hartford Steam Boiler is expanding into computer systems insurance.[2] But they are not as hard-ass about inspections as they are with boilers, unfortunately. They know how to keep boilers from blowing up. Computer security isn't there yet.



    • curry-castaway 2 months ago

      > They're a consultancy which evaluates computer security for insurance companies, before they insure a business.

      Can you share the name of the company?

  • dontbenebby 2 months ago

    But do audits show compliance with basic security practices, or compliance with PCI DSS and other standards which may be orthogonal to security?

    • wefarrell 2 months ago

      In this case it would be the insurance company who requests the audit, so there would be incentives to ensure that the audits are meaningfully preventative.

  • wvenable 2 months ago

    Insurance companies already do this but that's not the point at all. You can be the victim of a cyberattack even if you do everything right and the insurance company will refuse to pay out of it's tied to (perhaps with little evidence) to a state-funded attack.

  • msla 2 months ago

    It might well kill the use of open source and small-company software in business, in that the developers/management behind said code can't pay insurance companies to say that their code will pass audit. Microsoft and Oracle will pass with flying colors, of course.

    • jabart 2 months ago

      Doubt it, there are a lot of PCI Compliant businesses that get audited with open source software in their systems. I'm sure they have a node_modules somewhere on their build server.

      When you have an attack that moves from your servers to your desktop computers, you have a network issue, which would be covered in an audit to verify you properly segment your network instead of having it in one large broadcast domain.

    • bluejekyll 2 months ago

      It could just as well lead to better support models for contributions to fix and audit open source.

      The open source model is benefiting too many businesses to just up and throw it out.

gcbw2 2 months ago

Interestingly, this might be the solution for digital security.

Get a nany state (Hello California) to force companies to have Insurance for Cyberattack.

Insurance companies will learn instantly how to do due diligence for-real (as opposed of for compliance certification) to decide if they get clients or not.

Companies then, forced to have insurance, will have to implement minimal safeguards to be accepted in the insurer policy requirements.

Problem solved.

  • j88439h84 2 months ago

    If the business lost $100M as claimed, they may want to pay for cyber-attack insurance without being required to do so.

tedmcory77 2 months ago

Wow, this is huge. If cyber insurance doesn't cover cyber attacks, then what does it cover? Having seen the process for cyber insurance paying out for an intrusion, I'd be super concerned if I were a CSO/Chief Risk Officer and there's a chance the cyber insurance wouldn't cover you.

  • MiroF 2 months ago

    Seems a very odd strategy for cyber-insurance companies to take... If I were a large company insured by Zurich right now, I would definitely be reconsidering giving them my money.

DevX101 2 months ago

There's massive room in the market for a security-first company that offers insurance as a guarantee.

This company would essentially operate as the security team for clients and put in contractually enforced policies and follow through on implementation. If a client decides to not implement required security practices, then their policy immediately gets dropped.

This is the only scalable way I'd see to implement real insurance against cyber-attacks.

  • bitjson 2 months ago

    Our startup is working on this problem, initially for the javascript ecosystem. We’re offering insurance against vulnerabilities in javascript dependencies:

    We have open source developer tooling for signing and verifying signatures of javascript packages, and we’re offering security as a service, backed by up to $1M in insurance coverage.

    We’re still in beta, but we’d love feedback from HN!

DontGiveTwoFlux 2 months ago

Most insurers require customers to limit their risk in all kinds of ways.

I’m curious if there are cyber mitigation’s that are out there, such as mandatory two factor authentication, requiring up to date software and OSes or other measures. It seems like any insurance company would Be highly Interested in forcing these best practices.

  • csours 2 months ago

    You can do 1,000 things right, but one thing wrong may still sink you.

    With cybersecurity, there is an active adversary. I'm not sure insurance ever wants to take on that kind of risk. If they don't want that risk they shouldn't sell insurance.

  • wvenable 2 months ago

    This particular attack wouldn't have been mitigated by any of that. This is why you also have insurance in addition to doing everything you can to prevent an attack.

gibolt 2 months ago

If you are a large target many actors will be looking for your weaknesses. One bad actor will eventually find it, or just trick your employees to give them access.

Companies should make a solid effort to prevent the possibility, but I'm torn on what ramifications should be.

  • burtonator 2 months ago

    > One bad actor will eventually find it, or just trick your employees to give them access.

    or do what the Russians do and use kompromat

  • darkarmani 2 months ago

    > Companies should make a solid effort to prevent the possibility

    Isn't this what they do and then hedge the risk by covering their potential losses with insurance?

    If companies are not doing a good enough job with security, why does the cyber insurance not cost more? Priced properly, companies can choose between buying more coverage versus throwing more money at the "security problem."

Maven911 2 months ago

Similar to not relying on cyberinsurance when things go awry, the field as a whole is in an interesting shape where on one hand there is a dearth of skilled employees (1 million globally supposedly, according to reports), and on the other hand companies that do not want to train IT works with the necessary cybersecurity skillsets to fill the gap, and in turn rely less and less on the red herring of cyberinsurance. Talking to my colleagues who are looking to break in, even after taking training/seminars, which can be quite pricey, employers will tend to hire for junior roles at best.

dontbenebby 2 months ago

Sounds like a big "out" is claiming an attack was an act of war. But very few nations declare war nowadays. They have "police actions" or "peacekeeping missions.

Maybe telling these companies "no war was declared, so you must pay out" would be a good thing.

Insurance companies are powerful lobbyists both in the traditional K street sense, and the soft power sense.

(For the soft power sense, picture a major insurance company telling a nation state their state owned businesses can self insure moving forward, since the business cannot handle the risks they generate.)

  • OldHand2018 2 months ago

    > Maybe telling these companies "no war was declared, so you must pay out" would be a good thing.

    That goes against centuries of precedence. The only difference now is that it was "on the Internet".

  • southern_cross 2 months ago

    Don't forget, though, that the U.S. and North Korea are officially still at war, since no peace treaty was ever signed. So pin a cyber attack against a U.S. entity on N.K. and there you are!

rolph 2 months ago

how can in insurance company declare a state of cyberwar, or any other war in general. I thought that was exclusively a government function.

By extension could we deny coverage when a bunch of crackheads raid someones home, simply chalking one up to the war on drugs?