 Russia has used cyberattacks as part of its invasion of Ukraine. Such attacks could potentially impact other countries, especially if the war intensifies. |
The insurance industry is preparing for a potential surge in cyberattack claims if the Russia-Ukraine war continues to escalate.
Insurers' direct exposures to Russian and Ukrainian cyberrisk is likely small; the real concern for the industry is the potential for spillover to other countries. The current situation is "a more complicated threat landscape than just Russia versus Ukraine," William Altman, principal cybersecurity consultant at cyberrisk analytics firm CyberCube, said in an interview. Altman said CyberCube is already tracking 33 different threat actors operating on behalf of Russia and Ukraine.
The insurance industry can look back to at least one precedent for a cyberattack related to the wider conflict between Ukraine and Russia having global implications: the 2017 NotPetya malware attack. NotPetya spread to thousands of companies globally, handing the insurance industry a $3 billion claims bill and its first taste of a cyber catastrophe. NotPetya occurred in relative peacetime and was largely covered by cyber-specific policies.
CyberCube has already seen the use of so-called self-propagating wiper malware like NotPeyta during this war, Altman said.
Assume the worst
Like most other kinds of insurance, cyber cover has war exclusions to protect insurers from systemic risk. However, insurers may still be liable for wider cyberrisk effects stemming from the ongoing conflict in Ukraine.
Insurers started reviewing cyberwar exclusions in 2019 to try to simplify where covered cyberterrorism ends and excluded cyberwar begins. Still, gray areas continue to exist. Four model cyberwar exclusions published by the Lloyd's Market Association in November 2021, for example, rely heavily on attacks being attributed to a nation-state to classify them as war.
Attribution is notoriously difficult to prove, and brokers and clients might argue that an attack is covered when there is no clear attribution. The Lloyd's Market Association's fourth option states that the exclusion does not apply to the direct or indirect effect of a cyber operation on a bystanding asset, or one not in the state targeted by the cyberattack.
"If there were bystanding assets implicated in some kind of hostile cyber event as a result of the war in Russia and Ukraine, we would expect to argue coverage under that clause," William Wright, a partner at Paragon brokers, said in an interview.
There is also the potential for Russia to launch cyberattacks on countries to punish and dissuade their support for Ukraine. Such a move might sidestep insurers' exclusion defenses. In addition to excluding war, insurers typically do not offer cyber cover for critical infrastructure. But Russia may only seek to disrupt by attacking a mobile phone network, for instance. That would not be serious enough to be considered an act of war or trigger mass property damage and loss of life, Altman said.
"I think in that case insurers would still be on the hook," Altman said. In the near term, insurers would be wise to continue to act like they have exposure to prospective events, even if they think exclusions would apply, Altman added.
 The aftermath of a March 20 Russian rocket attack on a shopping mall in Kyiv, Ukraine. |
Long history
Russia has been a key source of malware and other online aggression for the past 15 to 20 years, Wright said.
"We have been paying claims for businesses impacted by ransomware and malware that probably emanated from Russia for some time, and I don't really see that changing," Wright said. "The frequency may be increasing slightly, but it is more of the same, really."
The global spread of self-propagating wipe malware is "one of the worst-case scenarios for this event," according to Altman, though there would have to be "several levels of escalation" in the war before the prospect of a "worldwide self-propagating malware attack" becomes real.
Russia has used wiper malware during the invasion, but "in a very targeted way," Altman said.
Insurers look to be better-positioned to deal with potential claims coming from the Russia-Ukraine conflict, having already responded to a sharp increase in global ransomware attacks with a combination of higher prices, tighter terms and tougher security requirements for policyholders.
The main change over the last two years, according to Matt Northedge, global head of cyber and technology at Lloyd's insurer Canopius Group Ltd., has been the "fundamentally different approach to risk control" insurers now require from customers.
"The cyber insurance market is undoubtedly much better prepared to deal with any potential harms from the Ukraine war than it would have been if the outbreak had occurred in 2019 or earlier," Northedge said in an email.