Ukraine fallout expected to test companies’ hardened cyber defences
For an insurance industry trying to recover from a surge in ransomware attacks, Russia’s invasion of Ukraine brings another potential threat: a new front in an escalating cyber war.
Since the conflict began, there have been widespread predictions that cyber operations launched alongside the fighting will cause collateral damage across the global corporate sector. “Shields up” was the advice from the US Cybersecurity & Infrastructure Security Agency, which urged organisations to move quickly to bolster their defences.
So far, cyber threats outside the conflict area have been fewer than expected, experts say. “What we might have feared would happen by this point really hasn’t,” observes Sarah Stephens, head of cyber for the international operations of Marsh, the world’s biggest insurance broker.
“Certainly, in the insurance community, and the cyber risk community, there was a fear that this should be a really systemic, really catastrophic cyber conflict, and that has not so far occurred.”
Some even witnessed a lull in cyber attacks in the early weeks of the conflict. “We’ve actually seen a downtick in cyber activity directed towards our customers,” says Joshua Motta, chief executive at cyber insurer Coalition, whose client base is concentrated in the US and Canada.
Motta’s working hypothesis is that this is due to the war disrupting hackers operating in both Ukraine and Russia — “whether because of just the general chaos that is now sown in the region, or whether it’s certain criminals being repurposed or re-tasked to perform other activities in support of the conflict”.
However, in the longer term, many companies and analysts remain concerned that deteriorating relations between Russia and the west could lead to a step-up in cyber attacks.
Analysts at Moody’s, in a March note, warned that the conflict “is raising the risk of worldwide cyber attacks against critical infrastructure assets, along with a possible further escalation and increased frequency of cyber attacks against private companies and other organisations”.
They added that an attack that caused widespread business interruption and economic disruption could represent an uninsurable event.
Fitch Ratings has also cautioned that there is a greater chance of “spillover risks” that hit companies. It cites the example of the “NotPetya” malware in 2017. This was widely believed to have been a Russian military cyber attack on Ukrainian targets but ended up hitting big companies, such as Maersk, and caused billions of dollars in damage across the globe.
Companies are being urged to prepare, again. Last week, US president Joe Biden called for renewed efforts from the private sector to lift its defences, citing “evolving intelligence that the Russian government is exploring options for potential cyber attacks”, and published the steps businesses should take.
Graeme Newman, chief executive at cyber underwriter CFC, thinks they will need to be on their guard: “I suspect we will see an increase in criminal activity at some point, as sanctions continue to starve the Russian economy, with extortion being the primary tool.”
Insurers have already had to contend with a growing frequency and severity of cyber attacks in the past couple of years, as a cottage industry of third-party support services has made it easier for hackers to launch campaigns. Cyber insurance pricing has surged, as providers have moved quickly to reflect the higher risks in the premiums they charge.
Insurers have tightened up their underwriting — for example, by introducing limits to what they would insure and, in some cases, denying coverage to companies that did not put in place basic controls.
That has encouraged a “huge shift” from companies towards strengthening their defences, Marsh’s Stephens says. “Everyone has coalesced around these 10-12 really basic control areas and we have seen companies invest heavily in improving and shoring up problems [there].”
These include putting in place multi-factor authentication and safeguarding the privileged accounts that can reach any part of a computer system. Companies have also focused on eliminating vulnerabilities — for example, poor security on applications such as remote desktop for those working from home.
“What we are focused on is: do you have the equivalent of the ‘kick me’ sign posted on your back?” says Coalition’s Motta.
But recent events have drawn attention to a big grey area in these insurance policies. Typically, cyber insurance has a war exclusion, meaning that the insurer will not pay out if its client has been targeted as part of a conflict. However, the wording used to define the exclusion is not consistent across the sector.
Companies should therefore “consider closely examining the scope of their insurance policies to ensure sufficient coverage”, said lawyers at Eversheds Sutherland, in a March note.
In November, the Lloyd’s Market Association, a body that represents underwriters in London’s specialist insurance market, tried to address the uncertainty by publishing some model clauses for these exclusions.
In one of these clauses, the core consideration is whether “the government of the state . . . in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf”.
If the target’s government is unable to do so, “it shall be for the insurer to prove attribution by reference to such other evidence as is available”, it continues.
This question of attribution is crucial — and tricky: how can anyone prove that hackers are acting on behalf of a state actor? The risk for companies, brokers argue, is that broadly written exclusions — referencing cyber campaigns that target a common system vulnerability — will leave them without compensation when they truly need it.
For some, the problem is simply that this is an insurance segment that is decades, rather than centuries, old.
“It’s not a mature market, and it’s a vastly changing dynamic of what exactly is being insured, and the contagion risk is tremendous,” explains Carl Hess, chief executive at insurance broker Willis Towers Watson.
“We’re a few years away from being able to say, with assurance, that we’ve got a workable cyber insurance [sector].”