Key Takeaways
- As the likelihood of a prolonged stalemate in the Russia-Ukraine conflict grows, the risk of cyberattacks on financial and public institutions will increase.
- The 2017 NotPetya malware incident shows cyberattacks can quickly spread to global public and private corporations.
- The conflict is spotlighting a rising need for strong cyber governance and affirmative cyber insurance coverage, said S&P Global Ratings cyber specialists at a seminar.
Cyberwarfare has, to general surprise, provided just a handful of notable skirmishes in the Russia-Ukraine conflict. But fears linger that the scale and frequency of digital attacks on financial, industrial, and state targets in Ukraine, and among its allies, could escalate. It was with this threat in mind that S&P Global Ratings analysts and in-house cyber experts, met on Thursday, April 28, for the "Cyber Risk Seminar: Learning from the Russia-Ukraine Conflict." A link to the replay is available here.
"There is a rising likelihood of a prolonged stalemate, or an escalation in military attacks, and with that we see heightened risk of cyberattacks on public and financial entities," said Zahabia Gupta, S&P Global Ratings' associate director in the Sovereign and International Public Finance team. "We are monitoring whether any cyberattacks on Ukraine could cause disruptions to payment systems or critical infrastructure that could affect its ability to service debt. This risk is incorporated into our 'B-/B' sovereign ratings on Ukraine, which remain on CreditWatch negative."
History suggests there is good reason to be wary. Russia is often cited for hacking Ukrainian targets, though it denies the allegations. A 2015 attack temporarily turned off power for about 230,000 Ukrainians. Two years later, hackers, reputed to be linked to Russia's military, knocked government agencies offline, shut transport systems, closed banks, and cost U.S. and European companies that were inadvertently caught in the attack about $10 billion (see "Cyber Threat Brief: How Worried Should We Be About Cyber Attacks On Ukraine?," published on Feb. 22, 2022).
"We also see an increased risk that Russia could use cyberattacks to target entities from countries that are allied with Ukraine as a means to gain an advantage in the conflict," said Ms. Gupta.
For the time being, cyberattacks have been less severe than we expected. Of the about 201 rating actions we have taken as a result of direct or indirect consequences of the war, none have been due to cyber-related issues (see chart 1).
Chart 1
"Cyberattacks are something we are closely watching, [but] they haven't thus far been a major contributor to any of these rating actions," Tiffany Tribbitt, S&P Global Ratings director and lead analyst for U.S. public finance, told the seminar.
NotPetya Warning
The conflict hasn't been without a cyber element. The Ukrainian defense ministry and two banks were hit with distributed denial-of-service (DDoS) attacks, which seek to take down websites by overloading them with fake queries, in the days before the invasion began. Other Ukrainian government sites have suffered "web defacement," a form of digital vandalism, said Paul Alvarez, a cyber risk expert within our Analytical Innovation team.
There have also been accounts of more destructive, though largely unsuccessful, activity, including the use of wipers, malicious programs that seek to destroy IT systems by erasing data. "We have seen several wipers in play recently, some created before the hostilities occurred and some during," said Mr. Alvarez. "It demonstrates how quickly these threat groups can retool."
Wipers have a notorious history in Ukraine. It was a wiper malware, called NotPetya, that in 2017 exploited two historical weaknesses in Microsoft's operating systems to disable Ukrainian airports, railways, and banks."NotPetya was actually the culmination of a three-year campaign of targeted disruption against Ukrainian infrastructure…banks, nuclear plants, and electricity suppliers," Martin Whitworth, another cyber risk expert told the seminar. "It wasn't a well-controlled campaign in that it may have been targeted at Ukraine, but a number of really large organizations got hit by NotPetya, even though it wasn't designed to actually attack them."
Among the collateral damage was drug maker Merck & Co. Inc. and transportation group FedEx Corp., which suffered about $695 million and $400 million of losses, respectively, making them significant corporate contributors to a total of about $10 billion of losses caused by the attack. Still, this did not lead to any rating actions, since analysts assessed the credit implications as manageable within the current rating thresholds.
The shockwaves of NotPetya also reverberated through the insurance sector, which found itself on the hook for about $3 billion of damage claims (the remaining $7 billion was uninsured). Worse, for the insurers, about $2.7 billion of those claims were likely unforeseen, since they came via traditional property and casualty (P&C) polices that neither explicitly included nor excluded losses from cyberattacks.
This exposure, known as silent cyber, or non-affirmative cyber, remains a contentious issue (see "Cyber Risk In A New Era: Let's Not Be Quiet About Insurers' Exposure To Silent Cyber," published March 2, 2021, on RatingsDirect).
"Businesses are still over reliant on their traditional policies [to cover cyber exposure]," said Manuel Adam, associate director within the Insurance Ratings team. "A lack of clarity leads to disputes, with policyholders arguing for a more generous and broader interpretation of the wording [in P&C policies], and insurers doing the opposite.
"This is leading to dissatisfaction for policyholders," he added. "And it leaves the scope of coverage uncertain, particularly in the case of large scale cyberattacks like NotPetya, and potentially in the case of the current Russia-Ukraine conflict."
At best, silent cyber risks hurt insurers' profitability by exposing them to payouts for risks for which they never collected premiums. At worst, warns Mr. Adam, it "could harm their profitability and solvency levels."
The extent of those risks was made explicit in January, when a court ruled that an all-risk property policy held by Merck entitled it to claim against damages resulting from NotPetya. Merck's insurer, Ace American Insurance Co., had argued that the cyberattack was an act of war, which would typically be excluded from a P&C policy. A New Jersey Superior Court disagreed, ruling that Merck had "every right to anticipate that the exclusion applied only to traditional forms of warfare."
It is unclear to what extent that ruling will set a precedent. Yet cyberattacks emanating from the Russia-Ukraine conflict could once again test the arguments used in the case, including the extent to which insurers must prove that a cyberattack is directly linked to a conflict, and thus an act of war. That could prove a difficult task, particularly when belligerents are unlikely to claim responsibility.
Mr. Adam said that insurers are, either way, coming to terms with the need to identify, quantify, and manage silent cyber risks. Progress has been made in moving clients to affirmative cyber coverage, but it has been hampered by a mismatch between strong demand for such policies and supply that is constrained by insurers' caution, due to the relative infancy of cyber as an insured risk. That imbalance has contributed to a sharp increase in cyber protection prices since mid-2020, though the increase isn't likely to have been sufficient to protect profit margins that were in place before the COVID-19 pandemic (see chart 2).
Chart 2
Spotlight On Cyber Governance
There seems little doubt that demand for cyber insurance will grow, as the financial effects of cyberattacks increase. And there is the important question of how cyber insurance fits into overall cyber risk management?
"Risk management, including cyber risks, is considered within our ratings process," Ms. Tribbitt told the seminar, adding that weak governance protocols can lead to a lower rating than pure financials might otherwise indicate. "That is the reason why you don't always see rating changes after an attack, governance risks are already baked into our ratings."
A replay of S&P Global Ratings' Cyber Risk Seminar: Learning From the Russia-Ukraine Conflict is available here.
S&P Global Ratings U.S. Public Finance team will hold a special "Credit Spotlight" event focusing on Cyber Risk on Thursday, May 12, 2022 from 1p.m. to 3p.m. Eastern Time. Information and registration for the event are available at this link.
Writer: Paul Whitfield
This report does not constitute a rating action.
Primary Credit Analysts: | Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
Manuel Adam, Frankfurt + 49 693 399 9199; manuel.adam@spglobal.com | |
Zahabia S Gupta, Dubai (971) 4-372-7154; zahabia.gupta@spglobal.com | |
Paul Alvarez, Washington D.C.; paul.alvarez@spglobal.com | |
Martin J Whitworth, London; martin.whitworth@spglobal.com | |
Secondary Contact: | Simon Ashworth, London + 44 20 7176 7243; simon.ashworth@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.