An expanding threat landscape is testing the limits of cyber insurance coverage.
The industry experienced a rapid maturation over the past three years as enterprises required a broader umbrella of insurance coverage to combat increasing cyber risks. While demands and premiums continue to rise, one recent area of contention involves war and hostile acts, an exclusion that's becoming harder to categorize.
A judgment in December, coupled with the Russian invasion last month that posed potential cyber retaliations to Ukraine allies, highlighted shortcomings in insurance policies when it comes to cyber conflicts.
In 2017, U.S. pharmaceutical company Merck & Co. suffered $1.4 billion in losses that stemmed from the NotPetya ransomware attacks. While the ransomware targeted Ukraine and affected a range of websites including banks, spillover attacks occurred in several additional countries. That included damage to 40,000 computer systems owned by Merck.
When Merck requested its $1.75 billion property insurance "all risk" policy, Ace American Insurance Company denied coverage, categorizing the ransomware attacks as an act of war.
More notably, they argued NotPetya was "an instrument of the Russian Federation as part of its ongoing hostilities against the nation of Ukraine," according to the lawsuit.
The lawsuit concluded in December when a New Jersey court ruled in favor of Merck. New Jersey Superior Court Judge Thomas J. Walsh stated that both parties were aware that cyber attacks, including those from nation-states, have become more common.
"Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks," Judge Walsh said in the ruling. "Certainly they had the ability to do so."
Signs of change
The current conflict in Ukraine could have similar effects to the NotPetya attacks, according to some infosec and legal experts.
During a webinar last month, Recorded Future analysts noted certain malware used against the Ukrainian government was "reminiscent" of past attacks such as NotPetya and Bad Rabbit. They warned of possible retaliatory cyber attacks as well as unintentional "spillover attacks" that affect organizations in countries outside Ukraine.
Microsoft also addressed the fear of potential fallout to nonmilitary organizations.
When announcing its suspension of sales in Russia earlier this month, Microsoft cited Russian cyber attacks on civilian targets in Ukraine. Following the Russian invasion, Microsoft president Brad Smith said Microsoft observed cyber attacks that targeted both the Ukrainian government as well as civilian sites.
"We have publicly raised our concerns that these attacks against civilians violate the Geneva Convention," Smith wrote in a blog post.
Smith had voiced similar concerns in the past, and like many others in the infosec community, he called for a digital Geneva Convention.
We are taking several new steps in response to the war in Ukraine, including suspending new sales in Russia. https://t.co/BCHZ57TryO— Brad Smith (@BradSmi) March 4, 2022
Insurers have taken their own proactive measures by adjusting policy language.
For example, in November, London-based Lloyd's Market Association drafted new cyber war and cyber operation exclusion clauses. Factors included physical location of the computer systems and a level of government involvement. It broke down cyber operation and cyber war as two separate entities, classifying a cyber operation as the "use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state."
Joshua Mooney, partner at global law firm Kennedys Law, said it will be interesting whether insurers actually stick to the word cyber within the exclusion.
"I don't think the carriers need to put the word cyber, but it may be from an economic standpoint. It's going to be a lot easier to add that word as opposed to have the fight in the future," Mooney said. Mooney also told SearchSecurity that warlike exclusions have always been present in insurance policies.
Similarly, Jim Auden, managing director at Fitch Ratings, told SearchSecurity that war exclusions are typically common in policies for many commercial property and liability policies, not just cyber insurance policies. But differentiating between cyber attacks and cyber acts of war poses an additional problem for insurance coverage.
"When there is a cyber event, it's not easy to determine who the perpetrator is and their geographic location. As a result, it's difficult to determine if the cyber attack is state-sponsored or not, making legal or judicial action difficult," Auden said in an email to SearchSecurity.
Auden cited the Merck decision as an example of the difficulties insurers face when it comes to asserting war exclusions in cyber events. However, the ruling's impact on enterprises may be low.
"The decision is unlikely to affect cyber claims settlement barring a bigger conflagration with the U.S. directly involved that leads to cyber events from state-sponsored hackers," he said.
The ransomware factor
Mark Bowling, vice president of security response services at ExtraHop, told SearchSecurity that cyber insurers have already pulled back coverage as costly cyber attacks have increased. He was surprised, he said, that Ace even pulled the act of war card.
"It's now becoming too expensive to insure these companies," Bowling said. "It's a losing proposition for cyber insurance."
In addition, he said ransomware groups are criminal enterprises and -- unlike the Russian Main Intelligence Directorate, or GRU -- are not covered under acts of war.
However, at least one ransomware group has been vocal about its involvement in the current war. In messages to its leak site last month, the Conti ransomware gang initially pledged support for Russia, warning it would take retaliatory measures.
Following the statements made by Conti, Chester Wisniewski, principal research scientist at Sophos, observed three or four additional ransomware groups posting their own statements. Wisniewski told SearchSecurity he had assumed those messages would align with Conti; however, it was the exact opposite.
"All these other groups started coming up and saying, 'We're not on anybody's side here. We're just going to continue the business of robbing people.' It was strange," he said. "Why even make a statement? I started talking to some friends of mine, and we think it's because of insurance."
About 75% of ransom payments come from insurance, Wisniewski estimated. Therefore, if the groups affiliate themselves with the Russian Federation, their attacks are automatically classified as acts of war, and the groups may not receive those ransom payments without insurance policies covering part or all of the ransoms.
Another potential outcome of altering cyber war exemptions, Wisniewski noted, is the possibility that insurance companies will no longer pay these ransoms. "Unfortunately, it could be terrible for the victims," he said. "I think the prices of these policies are going up so much now that organizations might rethink how they approach the problem."
Depending on the size of the organization, rather than spending hundreds of thousands on insurance, they may invest that in improving defenses, for example.
There's already been an increase in cyber insurers asking clients to do assessments, Bowling said. He also noted a fairly new level of damage caused by ransomware over the past five years, but said the goal of insurance is to transfer financial risk.
"They want evidence that the organizations are doing more to secure themselves," Bowling said.
However, when it comes to acts of war, Mooney said, they are uninsurable by nature. Insurance policies have never covered damages caused by acts of war, he said, because the industry can't underwrite that type of risk.
"From a broader sense as a society, if we want a robust insurance industry to underwrite the risks of cyber attacks, we have to accept and understand that the industry can't underwrite damages caused by acts of war, including cyber attacks."