Implications of the Russia-Ukraine conflict on cyber insurance
It has been almost 150 days since the Russian-Ukrainian conflict began in February and its impacts on cyber insurance has been ever so imminent.
The current cyber insurance market is experiencing hardening conditions, with high premium costs, strict underwriting, and low market capacity.
Potentially increasing risks of cyberattacks and uncertainties surrounding the coverage of cyber policies that arise from the Ukraine conflict would only exacerbate this market temperament. This article examines the implications of the Russian-Ukrainian conflict on cyber insurance, with a particular lens of focus on policy terms.
Current cyber insurance market
Over the past few years, the hardening market has been a topical discussion point for stakeholders of the insurance industry. Experts expect this hard cycle to largely continue given current environmental factors, including, but are not limited to, supply chain pressures, high inflation and the COVID-19 pandemic. This is particularly apparent for cyber insurance. According to a paper published by Gallagher in January 2022, premium rates have increased by as much as 50% to 300% over the past year, whilst insurers undertake more stringent underwriting and limit coverage by cautiously inserting exclusions and sublimits in the policy contracts.
Such a phenomenon was made in response to global increases in cyber-related losses. As an indication, during the first six months of 2021, there had been US$590 million paid for ransomware attacks, as compared to US$416 million across 2020. Such increases are attributable to the interconnectedness of businesses and networks worldwide, as well as society in general putting more reliance on the internet and cyber technologies, which thereby creates greater number of attack opportunities and a higher value per attack for cybercriminals.
Implications of ongoing conflicts
With the key players of the conflict making accusations of cyberattacks and ‘cyber aggression’ by their counterparties, insurers and other stakeholders are becoming increasingly focused on the potential implications of the Russian-Ukrainian conflict on cyber policies. To begin with, there are undeniable increases in the risk of cyberattacks, in the form of phishing, ransomware, MITM and general malware attacks. Such incidents may be associated with alleged state-sponsorship, or simply be carried out by cyber criminals taking advantage of loopholes that become apparent during the conflict.
Within an ever-evolving globalised and interconnected world, the consequences of such cyberattacks do not stay within the geo-political boundaries of the conflict.
As clients and/or providers of goods and services to Russian and/or Ukrainian businesses, or simply market players within jurisdictions which are directly and/or indirectly impacted by the conflict, companies from around the globe are being exposed to the risk of cyberattacks.
‘War’ and ‘hostile act’ exclusions
Businesses are not the only stakeholders concerned with the situation. Insurers and reinsurers involved in the cyber insurance market have also been on high alert, especially in light of coverage ambiguities and questions surrounding the effectiveness of ‘war’ and/or ‘hostile act’ exclusions in policy terms. Most cyber insurance policies explicitly exclude the insurers’ obligation to pay for losses and/or damages caused by hostile or war-like actions in times of peace or war, including actual and/or expected attacks from a sovereign power, military forces, or authorised agents with governmental powers.
Such exclusion clauses are designed to stipulate that insurers have no appetite to indemnify against acts of war.
However, it is not clear whether all, if any, incidents of cyberattacks amount to war-like or hostile acts which are intended to be excluded from coverage. As the Russian-Ukrainian conflict continues to escalate, experts within the industry are increasingly looking to precedents which may allude to potential answers. One particular incident which has been quoted is the 2017 NotPetya malware attack, which was said to have also involved the main parties to the Russian-Ukrainian conflict today.
The incident began with the NotPetya malware, which had spread through a centralised update to the MeDoc tax accounting software which had been utilised by a large number of Ukrainian businesses. This acted as ransomware, which had encrypted the hard drives of target devices. Transnational businesses with offices in Ukraine were impacted by this incident and the infection of their internal networks ultimately spread to other jurisdictions, and hence led to significant financial losses.
Naturally, the impacted businesses which had purchased cyber insurance looked to their insurers for support.
However, the ‘war’ and ‘hostile act’ exclusions served as hurdles.
These clauses gave rise to coverage disputes, as neither party have encountered significant losses from cyberattacks of such scale and required the court to make an interpretation.
The most recent judgment was handed down in the Superior Court of New Jersey in January 2022, which had ruled in favour of the claimant on the basis that whilst both parties have been aware of cyberattacks, the insurers failed to update the policy terms or notify the policyholder that losses from cyberattacks were not intended to be covered.
As such, it is within reason for the claimant to suppose that their financial losses will be borne by the cyber insurer. A related issue arising of applying ‘war’ and/or ‘hostile act’ exclusions, is the identification of the ultimate perpetrator of a cyberattack which may link it to sovereign powers or government agencies, which are needed to link the incident to war-like or hostile actions.
In the wake of this judgment, insurers are seeing a more imminent need to update policy terms and exclusions. In November 2021, the Lloyds’ Market Association (‘LMA’) published four model cyberwar exclusions, which range from the removal of coverage if loss arises from war or nation-state activities to exceptions on the latter falling below some designated threshold. However, these draft exclusions do not resolve the issue for (re)insurers.
The wording heavily relies on cyberattacks being attributed to a nation-state to classify them as war. This means that the aforementioned issue of causation and perpetrator identification remains unresolved. Furthermore, the draft clauses introduce new terms such as ‘major detrimental impact’ and ‘essential services’ without providing adequate definitions. This renders the coverage even more ambiguous.
With such developments in mind, many insurers are looking to modify their cyber policy terms to explicitly address the issue of coverage when loss arises from cyberattacks to the nature of NotPetya.
Such movement has indeed been accelerated by the continued conflict between Russia and Ukraine.
Furthermore, within the hardening insurance market, it is reasonable to suggest that the cost of cyber policies will continue to rise. It is also expected that insurers will seek to implement tighter underwriting standards and practices as the risk of cyberattacks becomes more apparent.
As the Russian-Ukrainian conflict continues to escalate, insurers are increasingly drawn to address the ambiguity in the cyber covers that they offer, and to adequately protect themselves through the current hard market cycle. As for businesses that are seeking to obtain and/or renew cyber insurance policies, it is definitely worth paying close attention to this space. Businesses ought to also improve internal cyber hygiene through means such as multifactor authentication, and to closely monitor any business cyber risks that they are being subjected to.
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.