War in Russia increases cyber claims exposure for global insurers

” href=”https://www.law360.com/insurance-authority/articles/1471913/#”>Daphne Zhang ·

Global insurers are on high alert over a rise in cyberattacks and business interruption claims following Russia’s invasion of Ukraine, facing growing exposure as networks around the world Ukraine and critical infrastructure sectors of its Western allies are attacked and threatened.

Antonina, 84, sits in a wheelchair after being evacuated with her 12 dogs from Irpin, to a triage point in Kyiv, Ukraine, on Friday. A large-scale evacuation operation of residents of a satellite area of ​​the capital Kiev continued on Friday, with more and more people deciding to leave areas now under Russian control. (AP Photo/Vadim Ghirda)

Ukraine’s critical infrastructure, government services, banking and telecommunications sectors have already been to hit with cyberattacks since late February. Amid growing military and diplomatic support from the United States, United Kingdom, European Union and Japan, the risk of a systemic cyberattack spreading to these countries is ‘just a matter of time’ , according to cybersecurity and insurance experts.

“This is probably the first real war fought in a fairly active cyber environment,” said Sridhar Manyem, director of research and industry analysis at AM Best. “There are a lot of activists on both sides of Ukraine and Russia trying to engage in this cyberwar. As a result, the threats have intensified in an already active environment.”

Since the start of the war, Russia and Ukraine have recruited hundreds of cyber threat actors and volunteers to attack their enemies’ networks, according to a report by cybersecurity analytics firm CyberCube. As of March 1, there were at least 22 hacker groups actively helping Ukraine and nine openly helping Russia, the company said.

“Hacktivist coalitions and cybercriminals are taking sides, with prolific groups promising services to aid the Russian government’s war machine,” said Darren Thomson, CyberCube’s head of cybersecurity strategy.

Companies in the United States and its allied countries that have promised sanctions against Russia are at increasing risk of retaliatory cyberattacks, CyberCube said. The industries most likely to see a retaliatory attack are banks, IT and internet service companies, utility providers, shipping lines and mobile network operators, he said.

Insurance companies are under tremendous pressure right now,” said Daryl Crockett, CEO of Validatum Focus, which provides data security technology to enterprises. The possibility and threat of a widespread Russian-linked cyberattack is of further concern to insurers after a New Jersey state court told them that a wartime exclusion does not prevent cyberwar coverage, it said. she declared.

Late last year, the New Jersey court ruled that Merck & Co.’s insurers cannot rely on a the wartime exclusion to avoid covering the pharmaceutical giant’s $1.4 billion losses from NotPetya, a 2017 malware hack that the United States blamed on Russia, a charge the Kremlin called of “unfounded”.

As of March 2, “in the last 48 hours, we’ve had seven or eight new hacking victims. Most of them are US-based companies,” said Tony Cook, head of corporate intelligence. threats at GuidePoint Security. The company continuously monitors the activities of 75 ransomware groups.

However, none of the attacks showed clear evidence they were linked to the Russian conflict, making it difficult for insurers to deny cover by applying policies’ act of war exclusions, he said. .

“Some insurers are still taking the position that they will help policyholders pay the ransom” because they are cautious in concluding that the attacks were initiated by Russia, GuidePoint’s Cook said. These carriers are waiting for the US government to put Russia-linked ransomware groups on the Treasury Department’s Office of Foreign Assets Control sanctions list to declare the incident to be Russia-related before denying the cover, he said.

However, others said “they will not cover Russia-related cyberattacks because it is clearly an act of war,” Cook added.

“With cyber, it is very difficult to determine who is the author of an attack,” said Jim Auden, managing director of Fitch’s American P&C insurance group. “There are many state-sponsored entities engaged in cyber events, but getting the electronic fingerprints to definitively prove it is very difficult.”

Insurers put themselves in a difficult position if they rely solely on the war exclusion to deny a cyberattack claim, Auden said. There are a lot of “obscure issues” when it comes to “whether cybercriminals support a nation-state or are they employees of a nation-state”.

There is boilerplate language in the exclusionary language of war that “has not been tested frequently”, he added. Carriers “may be able to assert that there is a state-sponsored entity behind a cyber event, but getting the justice system to agree with you could also present immense challenges” , noted Auden.

In the Merck decision, the New Jersey court said that because insurers’ war exclusion does not contain the word “cyber”, it only prohibits physical war. The decision involves risks and uncertainties to all branches of insurance which issued policies with similar wartime exclusion wording without addressing cyber incidents, industry watchers said.

Any ambiguities in the war exclusion language will be “investigated, filed for reclamation and exploited” as cyber threats from Russia escalate, AmBest’s Manyem said. Insurers are also concerned about defense risks related to underlying claims against their policyholders related to cyberattacks and the legal costs of coverage disputes with their policyholders, he said.

There could be growing litigation over how the wartime exclusions apply to cyberattacks “particularly if the attacks spill over from the Ukrainian conflict, because these are exactly the kinds of incidents that raise significant questions as to whether the wartime exclusion applies or not,” said Alex Iftimie, a partner at Morrison & Foerster LLP.

“The threats posed by the Russian invasion offer businesses an opportunity to consider whether their coverage meets their expectations and whether the exclusion of war in a policy reflects what they expect it to exclude. “, Iftimie said.

Mismatches in coverage expectations between policyholders and insurers are common, GuidePoint’s Cook said. “Forty-two percent of the customers we dealt with thought they had insurance, but it didn’t even cover 25% of their actual cyberattack costs,” he said.

Companies that hold insurance coverage are “100% targets” of hacker groups, Cook said. When cybercriminals infiltrate a system, some of the “keywords they look for are ‘insurance financial,'” the director of cyber threat intelligence said.

“They are hitting the policyholders themselves and looking for signs of insurance. Or they have already hit the insurance provider or broker and tried to find as much as they can to see who their policyholders are.”

“Major insurance brokers and providers have been hit because the criminals just want to get the list of people they insure, so they can have new targets,” he said, referring to this. major broker Aon PLC. said earlier this month that he suffered a cyberattack. Arthur J. Gallagher Co, another insurance broker, and insurance giants like CNA Financial Corp. and AXA SA Arthur have also experienced cyberattacks during the last years.

The Russian-Ukrainian conflict will push insurers to speed up the process of toughening their policies and getting approval for stricter exclusion clauses, industry observers say.

“Insurers are going to review their policy language and try to speed up this underwriting process,” AmBest’s Manyem said.

In November, Lloyd’s of London proposed new exclusions for stand-alone cyberpolices, saying cyber warfare and any retaliatory attacks between states are not covered. A cyber insurer does not need official attribution and can decide by “inference” to attribute cyberattacks to state activities, the insurer said.

However, if carriers broaden their exclusions to this level, businesses, especially small and medium-sized businesses, might wonder whether they need cyber insurance or whether they should spend the money to protect their systems instead, he said. Padriac O’Reilly, co-founder of cyber risk firm CyberSaint.

Private sectors will wonder “what’s the point of buying a cyberpolicy if 40 different variants of malware have been crafted with the tacit approval of malicious games that are potentially tied to a nation-state,” O’Reilly said. .

No matter how much exposure and risk insurers bear due to the Russian war, the ultimate victims are policyholders, said Daryl Crockett, CEO of cybersecurity firm ValidDatum. Businesses can suffer double losses from both a cyberattack and denials of coverage by insurers.

Insurers may not have updated their policy wording to exclude cyber risks, but they can still deny claims and policyholders may not have the money and time to pursue legal action , she said. Not all companies are Merck, which has more than four years to sue insurers and fund lawyers, Crockett said.

“A lot of times the insurer may not be on the safe side, but it becomes the effort of the insured to prove it, and that’s expensive,” she said. “Most companies won’t have the resources to mount a defense with which they could win.”

–Edited by Bruce Goldman.

For a reprint of this article, please contact [email protected]

Comments are closed.