Three Thoughts: Iranian Retaliatory Cyberattack
Many of you have heard the news that President Trump ordered a drone strike that killed a top Iranian military commander, General Qasem Soleimani. So, what happens next?
Well, according to news reports (e.g., here, here, here, here, and here), experts predict that Iran will likely retaliate with a series of "disruptive and destructive" cyberattacks on U.S. interests (including, business and government agencies). Given that retaliatory cyberattacks are likely (or have already begun), a few thoughts have crossed my mind that are worth noting.
1. Incident Response Plan
With news of retaliatory cyberattacks on U.S. interests, companies and government agencies––large and small––should take time to review your incident response plan.  As Benjamin Franklin once said, "if you fail to plan, you are planning to fail." So, don't let that happen.
Bottom Line: While it may be easy to think you're insulated from a cyberattack (i.e., small company, obscure industry, etc.), it might be prudent to treat Iran's threat like a fire drill. Do you have an incident response plan? If not, you may want to create one. If you have a plan, who is part of the team––executives, PR, HR, legal, security managers, technical lead? Do they know what to do, who to call (if your networks are down, you may not be able to email)? Having this information at your fingertips will serve you well should your company face a cyberattack now... or in the future.
2. Insurance and War Exclusions
With large data breaches appearing in the nightly news, it's no surprise that businesses are buying insurance to help cover their losses. If you don't already have an insurance policy for a data breach or cyberattack, you may want to rethink that strategy. Should you face a data breach, insurance can help cover losses/costs, such as damaged IT systems, business interruption, breach notification, remediation experts, and legal fees.
That said, with the threat of a retaliatory cyberattack, or any other warlike act, your insurer could deny your claim if your policy contains a war exclusion clause.  For example, Mondelez and Merck are each involved in litigation against their insurance companies stemming from the NotPetya cyberattack.  That attack was aimed towards the Ukrainian government and wildly attributed to Russia. In these cases, the insurance companies denied claims under the "act fo war" or "war exclusion" clauses.
Bottom Line: Given that the President targeted Iranian military officials "to stop a war," insurance companies may likely invoke "act of war" or "hostile or warlike action" exclusions to deny coverage stemming from a retaliatory cyberattack.  If that happens, you may be faced with the full financial burden in the wake of the attack.
3. Industrial and Infrastructure Sectors
A cyberattack in these sectors could potentially result in physical damage. Yes, that's correct. These sectors typically use industrial control systems ("ICS"), which is a term that generally includes a variety of control systems, devices, and networks that operate industrial processes. ICS are found in a number of industries, such as manufacturing (automotive, aerospace), food, beverage, electric, water, mining, nuclear, pharmaceutical, chemical, oil, and gas.
For example, the Stuxnet worm and German steel mill cyberattacks both targeted ICS and caused physical damage. In the Stuxnet attack (widely attributed to the U.S. and Israel), a computer worm was developed to target programmable logic controllers ("PLC") to destroy the centrifuges that enrich uranium at Iran's Natanz uranium enrichment facility. In the German steel mill attack, hackers spear fished emails to gain access to the internal network. Once inside, they were able to cause "massive" physical damage to the blast furnace by overriding its control system.
Bottom Line: Industrial sectors should beware that an attack on your systems could potentially result in physical damage, which may lead to bodily injury or loss of life. Accounting for these additional risks as part of your overall security posture is something to consider. For reference, in 2015, the National Institute of Standards and Technology ("NIST") published Special Publication 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security.
 Simply, an incident response plan is the "documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems."
 Typical "war exclusion" clauses contain language stating that the insurance company will not be liable to make payments for losses arising from hostile or warlike actions in times of peace or war, military actions (whether war is declared or not), invasions, rebellion, military uprising, as well as other actions taken to hinder or defend against any of the aforementioned events.
 Mondelez's all-risk property policy covers "physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction . . . . " Merck had several policies, each of which appear to cover physical losses or damage to property, including "destruction, distortion, or corruption of computer data, coding, program, or software." Notably, Merck also had network and privacy insurance, but its insurers were making payments and had not otherwise contested their coverage obligations.
 Attack attribution can be difficult because hackers can easily obfuscate their tracks. For example, hackers can delete log files or make it appear as though the cyberattack originated from another location or IP address. So, if Iran doesn't take credit for any specific attack, or if they avoid using a uniform malware like NotPetya, companies may have a challenging task of determining whether the attack was from a "regular" hacker or if it was from an Iranian state actor or proxy.
. . .