The conflict in Ukraine, and wider geopolitical tensions, are reshaping the cyber threat landscape. As yet, the war between Russia and Ukraine has not led to a notable uptick in cyber insurance claims, however, it does point to a potentially increased risk from nation states. In addition to an increased risk of espionage, the conflict raises the risk for destructive cyberattacks against companies with ties to Russia and Ukraine, as well as those in neighboring countries and allies. The spillover of hostilities into cyber space could see targeted attacks against Western critical infrastructure, supply chains and corporations with the aim of causing physical damage or disruption.
There is particular concern that companies could become collateral damage in any cyber conflict between Russia or Ukraine. In 2017, destructive ‘wiper ware’ linked to Russia – known as NotPetya – spread to companies around the world, causing an estimated $10bn in damage and business interruption. In addition to the risk of contagious malware, there are also concerns that the tools and techniques used by nation states during the conflict could filter down over time to cyber criminals.
The cyber threat landscape is constantly evolving. As a global commercial insurer, we see new exposures and new threats emerging. Six months ago, few people were concerned about a hybrid cyber war. Now we see that supporters of Ukraine and Russia have been the targets of cyber-attacks, while critical infrastructure around the world faces an elevated risk. New forms of malicious attack are always to be expected.
Cyber War Clauses will Provide Clarity of Cover
Although acts of war are typically excluded from traditional insurance products, the invasion of Ukraine by Russia has accelerated the insurance market’s efforts to address the issue of war in cyber wordings and provide clarity of cover for customers.
Cyber risks pose systemic aggregations of exposure, particularly when it comes to war and conflict. A cyber conflict between nations could cause unimaginable damage and disruption to thousands of companies, and potentially whole populations, if attacks target critical infrastructure like utilities, communications or payments systems.
Acts of war are understood in the context of physical damage and personal injury, but cyber war or conflicts are harder to define and difficult to attribute. The lines are increasingly blurred between the actions of nation states, terrorist groups and cyber criminals, while hostilities by nation state threat actors and their affiliates may be clandestine or amount to state-sponsored cyber-attacks that stop short of all-out war. Such events are not without precedent.
The 2017 NotPetya contagious malware attack, which affected organizations in more than 60 countries, was attributed by US and UK security agencies to a Russia-backed hacking group. Other high-profile attacks on private companies over the past few years that have been attributed to nation states include Russia’s 2020 SolarWinds hack, China’s 2021 Microsoft Exchange server breach and Iran’s 2021 attack on Boston’s Children’s Hospital, although in many cases attribution can be very difficult to prove. The NotPetya attack sparked a debate on cyber war, prompting insurers and brokers to refine contract wordings. A number of standard cyber war exclusions have been developed alongside claims processes to address the issue of coverage and also, in many instances, attribution. The Lloyd’s market recently announced it will exclude nation-state cyber-attacks in a bid to limit systemic risk and promote contract clarity.
As the cyber insurance market and product have matured, there is increasing focus on what a cyber war clause should look like. Insurers are moving towards more clarity on state-sponsored cyber-attacks. To date, the exclusion for war or state-sponsored attacks in most commercial insurance policies has not been tailored to the cyber product. However, the insurance industry is now in the process of clarifying the intention and phrasing of cyber war clauses, which will remove much of the ambiguity once a claim has occurred.
The author, Scott Sayce, is Global Head of Cyber at Allianz Global Corporate & Specialty and Group Head of the Cyber Centre of Competence.