When Russian troops invaded Ukraine on Feb. 24, Western military experts focused on troop size and weaponry. Politicians huddled over the ramifications for Europe. And cyber insurance brokers—clutching policies with “war exclusion” clauses—worried about what to call the incursion.
News outlets from ABC to the BBC were terming it a “conflict,” an “invasion,” or, Russia’s preferred term, a “special military operation.” Not an actual war. Eventually, the verbal fog lifted. The Western world began uttering the word “war,” calling the assault what it is. For cyber insurance companies, that seemed to resolve the matter in their favor and left policyholders, fearful about Russian cyberattacks, out in the cold.
The rush to buy cyber insurance has grown in recent years, driven by the dramatic rise in cyberbreaches and corporate concern about prevention. Insurance clients opting for cyber coverage rose from 26% in 2016 to 47% in 2020, according to a recent analysis by the Government Accounting Office.
Most policies exclude coverage for acts of war. But such “war” clauses can be tricky to enforce. For instance, adversarial nation-states rarely, if ever, take credit for cyberattacks on foreign governments and enterprises. Also, nations such as Russia and North Korea shelter cybercriminal syndicates and hacktivists, whose attacks, even if aligned to the motherland, are not considered acts of war.
Insurers are not taking any chances. Many are drafting new clauses, looking to hedge their risks by expanding the number of coverage exclusions. “Chubb has gone public with their strategy of limiting coverage for widespread events,” and another market is considering the same strategy, Monica Tigleanu, senior cyber underwriter at the German reinsurance giant Munich Re, recently
“There is a lot of sensitivity in the insurance market to systemic risk,” she explains, “and exclusions are another way to manage that risk.”
That should put policyholders on alert, as should President Biden’s warning on Monday: “The more Putin’s back is against the wall, the greater the severity of the tactics he may employ…. One of the tools he’s most likely to use, in my view, in our view, is cyberattacks.” In case there was any doubt, he added, “The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming.”
That means the pressure on business, tech, and cybersecurity leaders has never been greater. They must spot and mitigate digital risks, educate their workers on the value of proper cyber hygiene, all the while calculating exactly what their insurers will and won’t pay for when an inevitable breach occurs.
War or no war, they have to be prepared.
Why is that war exclusion in your cyber insurance policy?
War exclusions first appeared in insurance contracts in the 1930s in response to the Spanish Civil War. They may seem like a cop-out to some, just another way for insurance companies to get out of paying clients. But the real aim of these exclusions is to safeguard insurers from events so catastrophic that they’d go bankrupt trying to pay all the claims. That protects the rest of us, too. There’s no point in having insurance if your insurance company will be drained of funds.
But insurers drafted the original war clauses during an actual war, when damage to people and property was physical. Cyberwar is harder to spot.
There is a lot of sensitivity in the insurance market to systemic risk, and exclusions are another way to manage that risk.
It’s also harder to define. In 2013, former CIA Director Michael Hayden called a rash of state-sponsored cyberattacks originating from China akin to Hiroshima. A year later, Sen. John McCain, R-Ariz., said the North Korea hack of Sony Pictures Entertainment was
“a new form of warfare.” Not so, said President Obama, who called
the Sony breach “cybervandalism” and “not an act of war.”
Three years after that, the NotPetya cyberattack, which affected businesses worldwide and wreaked $2 billion to $10 billion in damages, was also deemed vandalism, even though both the U.S. and U.K. governments attributed the attack to the Russian military.
NotPetya had targeted Ukraine’s financial sector. But it went viral and global thanks to the world’s interconnected computer networks. Pharmaceutical giant Merck & Co. claimed it suffered $1.4 billion in losses in the attack. But its nearly three dozen insurance companies rejected the claim, citing war exclusion.
Merck sued its cyber insurance providers—and won
This past December, a New Jersey judge sided with the pharma giant. The judge ruled that the war exclusion clause related to armed conflict. The judge further noted that if the insurers had wanted to avoid paying for such cyberattacks, they should have changed the wording to define those events.
Merck’s policy was what’s known as an all-risks policy. As Michael Bahar, a litigation partner at Eversheds Sutherland and a former deputy legal adviser to the National Security Council, wrote in a recent report: “All-Risks policies are designed to provide cover against physical damage to property, yet many pre-2018 policies do not explicitly or implicitly exclude cyber risk and thus may provide cover, termed ‘silent cyber’ by the insurance industry.”
As a result, Bahar advised that in light of the Merck case, and because of the new geopolitical instability and heightened risk of cyberattacks, that companies should closely examine their insurance policies “to ensure sufficient coverage.”
Today, companies frequently rely on cyber-specific insurance policies. In fact, businesses with such policies did not have their NotPetya claims denied.
But insurers are worried. Ransomware attacks continue to soar. Insurance rates are rising (130% in the U.S. and 92% in the U.K. in the fourth quarter of 2021, according to Marsh, a leading insurer). “If cybercriminality continues unchecked, [insurance] will become unaffordable,” noted Adrian Cox, CEO of the London-based insurer Beazley, in the Financial Times last month.
Strengthen your coverage with basic cyber hygiene
While no security expert can guarantee a future free from cyberattacks (or the litigation that may spring from them), there are some basic cyber hygiene practices that business and tech leaders can take to lower their risk.
- Read the fine print. First, you should look closely at your insurance policies to determine whether they have the right cyber coverage for you. “And where there is doubt,” notes attorney Bahar, you “should seek to include greater clarity.”
- Lloyd’s Market Association, an insurance trade group for the Lloyd’s of London marketplace, in November wrote up four new clauses that could replace or supplement the standard war-exclusion clause in future cyber policies. It’s unclear at present if any of its 350 brokers have adopted the new wording.
- Practice cyber hygiene. This is not just enthusiastic advice to be ignored like those shout-outs from your Peloton instructor. Cyber insurance companies are now demanding “better cyber hygiene requirements for policyholders, such as multifactor authentication,” states Fitch Ratings in a Fitch Wire post earlier this month.
- Evaluate your cyber risk. A cyber-risk score can alert an enterprise to weaknesses in its cybersecurity strategy and spotlight preventable errors, like failing to install software updates or manage configurations. Risk scoring also shows off your strengths. Like a calling card or marketing tool, it’s a way to announce your organization’s cyber attributes to insurers, executive boards, and supply chain partners. Even a poor risk score is useful, giving security leaders the precise and necessary data to set new priorities and increase IT budgets.
- Automate wherever you can. This can’t be repeated enough. IT departments are understaffed; workers are burned out. Automation tools reduce the risk of human error; they bolster your security squad, replacing manual provisions with scripts and configuration files managed by machines. They can handle a host of low-level tasks, from password resets to patch management to identifying and mitigating threats. They can improve incident response by consolidating threat information from multiple sources, and the fact that hackers are also using these tools (hello, NotPetya) speaks volumes.
- Automation tools also communicate to insurance underwriters, demonstrating that despite a small staff or limited budget, your security systems are configuring, patching, and password-resetting on a swift and regular basis.
- Make friends with your cyber insurance policy underwriter. Insurers are asking more of clients. Literally, questionnaires used to set rates are getting lengthier and more detailed. Don’t take that the wrong way. “If you feel like you’re being grilled…it’s because we need to get as good an understanding [of your business] as possible,” Paul Gooch, a cyber underwriter with Tokio Marine Kiln, said on Dale Peterson’s Unsolicited Response podcast. “Try not to see it as adversarial.”
That last bit of advice holds true in times of war or peace. As easy as it is to imagine underwriters as fingertip-rubbing Mr. Burnses out to extort as much money from clients as possible, the reality is less colorful. If underwriters rejected all clients and denied all claims, the market wouldn’t exist.
Cyber underwriter Monica Tigleanu, of Munich Re, agreed. “It’s important that the community educates underwriters [as to] why they made certain decisions,” she said. “We just need to understand the controls in place that will make those asset owners resilient.”