The possibility of a Russia-related widespread cyberattack in the wake of the country's invasion of Ukraine is making insurers anxious, especially given a recent New Jersey court ruling that a warlike exclusion does not bar coverage to cyberwars, a data security tech executive said. (AP Photo/Pavel Golovkin)
"This is probably the first true war being fought in a pretty active cyber environment," said Sridhar Manyem, director of industry research and analytics at AM Best. "There are a lot of activists from both sides of Ukraine and Russia trying to engage in this cyber warfare. Therefore, threats have escalated in an already active environment."
Since the war began, both Russia and Ukraine have recruited hundreds of cyber-threat actors and volunteers to attack their enemies' networks, according to a report from cybersecurity analytics firm CyberCube. As of March 1, there were at least 22 hacker groups actively assisting Ukraine and nine openly assisting Russia, the company said.
"Hacktivist coalitions and cybercriminals are taking sides, with prolific groups pledging services to aid the Russian government's war machine," said Darren Thomson, CyberCube's head of cybersecurity strategy.
Companies in the U.S. and its allied countries that have vowed sanctions against Russia are at increasing risk for retaliatory cyberattacks, CyberCube said. The industries most likely to see a retaliatory attack are banks, IT and internet services companies, utility suppliers, shipping companies and mobile phone network operators, it said.
"Insurance companies are under tremendous pressure at this point," said Daryl Crockett, CEO of Validatum Focus, which provides data security technology to businesses. The possibility and threat of a Russia-related widespread cyberattack bring further anxiety to insurers after they were just told by a New Jersey state court that a warlike exclusion does not bar coverage to cyberwars, she said.
Late last year, the New Jersey court ruled that Merck & Co.'s insurers can't rely on a war exclusion to avoid covering the pharma giant's $1.4 billion in losses from NotPetya, a 2017 malware hack that the U.S. has blamed on Russia, an accusation the Kremlin called "groundless."
As of March 2, "within the last 48 hours, we have had seven or eight new victims of cyber hacks. Most of them are U.S.-based companies," said Tony Cook, head of threat intelligence at cybersecurity company GuidePoint Security. The company constantly monitors the activities of 75 ransomware groups.
However, none of the attacks showed clear evidence that they are related to the Russia conflict, making it difficult for insurers to deny coverage by enforcing the policies' act of war exclusions, he said.
"Some insurers are still taking the stance that they will help policyholders pay the ransom" because they are cautious to conclude that the attacks were initiated by Russia, said Cook of GuidePoint. Those carriers are waiting for the U.S. government to put Russia-related ransomware groups on the Treasury Department's Office of Foreign Assets Control sanction list for them to declare that the incident is related to Russia before denying coverage, he said.
However, others have said "they are not going to cover Russia-related cyberattacks because it is clearly an act of war," Cook added.
"With cyber, it's very difficult to determine who is the perpetrator of an attack," said Jim Auden, managing director of Fitch's U.S. P&C insurance group. "There are lots of state-sponsored entities engaged in cyber events, but it is very difficult to get the electronic fingerprints to prove it definitively."
Insurers are putting themselves in a tough position if they are relying on the war exclusion alone to deny a cyberattack claim, Auden said. There are a lot of "murky issues" when it gets to "whether the cybercriminals are supportive of a nation-state or are they employees of a nation-state."
There's boilerplate language in the war exclusion language which "was not tested frequently," he added. Carriers "may be able to assert that there's a state-sponsored entity behind a cyber event, but getting the judicial system to agree with you too could have immense challenges," Auden noted.
In the Merck ruling, the New Jersey court said that because the insurers' warlike exclusion does not have the word "cyber" in it, it only bars physical warfare. The ruling brings risks and uncertainties to all lines of insurers that have issued policies with similar war exclusion wording without addressing cyber incidents, industry observers said.
Any ambiguity in the war exclusion language is going to be "examined, filed for claims and exploited" with the escalation of Russia's cyber threats, said Manyem of AmBest. Insurers are also concerned about defense exposures from underlying claims against their policyholders related to cyberattacks and litigation costs of coverage disputes with their insureds, he said.
There might be rising litigation over how war exclusions apply to cyberattacks "particularly if the attacks spill over from the Ukraine conflict, because these are exactly the type of incidents that pose significant questions about whether the war exclusion applies or not," said Alex Iftimie, a partner at Morrison & Foerster LLP.
"Threats posed by the Russian invasion offer an opportunity for companies to think about whether their coverage meets their expectations and whether the war exclusion in a policy reflects what they expect it to exclude," Iftimie said.
Mismatches of coverage expectations between policyholders and insurers is common, said Cook of GuidePoint. "Forty-two percent of the clients we dealt with thought that they had insurance, but it didn't cover even 25% of what their actual costs were from cyberattacks," he said.
Companies that hold insurance coverage are "100% targets" of hacker groups, Cook said. When cybercriminals infiltrate a system, some of "the keywords that they're looking for are 'insurance financier,'" said the cyberthreat intelligence director.
"They're hitting the policyholders themselves and looking for signs of insurance. Or they've already hit the insurance provider or broker and tried to find as much as they possibly could to see who their policyholders are."
"Major insurance brokers and providers have been hit because the criminals simply want to get the list of people that they insure, so they can have new targets," he said, referencing that major broker Aon PLC said earlier this month that it has suffered a cyberattack. Arthur J. Gallagher Co, another insurance broker, and insurance giants like CNA Financial Corp. and AXA SA Arthur have also experienced cyberattacks in recent years.
The Russia-Ukraine conflict will push insurers to speed up the process of tightening their policies and getting stricter exclusion languages approved, industry observers say.
"Insurers are going to take a look at their policy language and try to accelerate that underwriting process," said Manyem of AmBest.
In November, Lloyd's of London proposed new exclusions for stand-alone cyber polices, saying cyberwar and any retaliatory attacks between states are not covered. A cyber insurer does not need an official attribution and can decide through "inference" to attribute cyberattacks to state activities, the insurer said.
However, if carriers broaden their exclusions to that level, businesses, especially mid- and small-size companies, may question whether they need cyberinsurance at all or if they should just spend the money on protecting their systems instead, said Padriac O'Reilly, co-founder of cyber risk firm CyberSaint.
Private sectors will ask themselves "what's the point of buying a cyber policy if 40 different variants of malware were designed with the tacit approval of malware games that are potentially linked back to a nation-state," O'Reilly said.
No matter how much exposure and risk insurers are bearing because of the Russian war, the ultimate victims are policyholders, said Daryl Crockett, CEO of cybersecurity firm ValidDatum. Businesses may find themselves suffering double losses from both a cyberattack and insurers' coverage denials.
The insurers might not have updated their policy language to exclude cyber risks, but they can still deny claims and the policyholders may not have the money and time to litigate, she said. Not every business is Merck, which has more than four years to litigate against insurers and fund lawyers for it, Crockett said.
"Oftentimes, the insurer might not be on the right side, but it becomes the effort of the insured to prove that, and that's expensive," she said. "Most companies are not going to have the resources to mount a defense with which they might win."
--Editing by Bruce Goldman.
For a reprint of this article, please contact reprints@law360.com.