Hacker News new | ask | show | jobs
by t0ddbonzalez 2384 days ago
>"And how are you so sure Merck's IT team didn't fail to have backups, redundancy, security patches, etc. to prevent an attack of any sort from being such a big deal?"

If the insurance claim is ~$1.3bn, we can safely say that the NotPetya cleanup isn't a trivial thing for them.

How many companies have we heard about who were totally screwed after a ransomware outbreak, because their only backups were online - network connected? Does anybody have offline backups anymore?

Is corporate IT negligent where it appears to have no disaster recovery plan?
2 comments
blaser-waffle 2384 days ago
> Is corporate IT negligent where it appears to have no disaster recovery plan?

Arguably, yes. Merck isn't a small time start-up. They've been on the Fortune 500 list for 60+ years. They can afford whatever layers of backup and redundancy they need.

> Does anybody have offline backups anymore?

Previous gigs, for large ISPs and related orgs, did. This was on a team-by-team basis, though.

link
MrMorden 2384 days ago
Any large organization that doesn't, at a bare minimum, implement NSA's Top Ten Cybersecurity Mitigation Strategies[1], ASD's Essential Eight[2], etc. is grossly negligent; and an insurance carrier willing to write a policy not conditional on implementing those strategies is equally negligent. The insurance carriers in this case could very well be attempting to deny payment under the acts-of-war exclusion because they're too incompetent or greedy to correctly write a cybersecurity policy.

[1] https://www.nsa.gov/Portals/70/documents/what-we-do/cybersec...

[2] https://www.cyber.gov.au/publications/essential-eight-explai...

link
listenallyall 2383 days ago
>> too incompetent or greedy to correctly write a cybersecurity policy

Don't discount the insurers just yet. The act of war exclusion is likely preferable for the insurers because it would seem to broadly cover the entire incident and because it really doesn't require a whole lot of detailed discovery into Merck's internal processes. But if that fails, then the insurers will, most likely, once again try to deny the claim, this time focusing on the details of the cybersecurity-based policy exclusions.

My guess, with no evidence to back it up, is that the policy is very detailed and specific, and upon investigating its application, the insurers will reveal a lack of proper defense and mitigation processes by Merck, just as you describe.

link