Cybercrime and cyber espionage activity continue to multiply against all industries and sectors, causing financial and material damage to targeted networks. Cyber insurance has assisted in mitigating the impacts of cyber malfeasance, offsetting costs associated with recovering from cyber-attacks. A Government Accountability Office report found that the increasing severity and frequency of cyberattacks led more organizations to seek cyber coverage, which has been increasing in price as the volume of attacks continues to escalate, regardless of the motivation and intent of the individuals behind them. Some expect the cyber insurance market to surge significantly in 2031, with an estimated compound annual growth rate of 23.78%. It is evident that organizations acknowledge in a digital world, cyber insurance is a necessary complement to existing security strategies to reduce their risk. The average price for cyber insurance rose 79% in the United States in the second quarter of 2022, after having doubled each of the previous two quarters showing that insurance is becoming an expensive option with carriers adjusting what they cover accordingly.[1]
Many cyber insurers are adopting the current position concerning hostile cyber-attacks affecting their clients because of what it identifies as “Cyber War.” In the wake of elevated cyber-attacks driven by geopolitical events, many companies reject claims from their clients as damages caused by cyber war and, therefore, not covered by policies. In August 2022, global insurer Lloyds of London announced that its insurance policy would no longer cover any losses determined to originate from nation-state attacks or similar acts of war. A 2023 ruling in New Jersey found that the damage suffered by pharmaceutical company Merck due to the NotPetya attack did not have to be paid by the insurers because the U.S. government had determined that it was the result of a foreign government.
See: https://redskyalliance.org/xindustry/acts-of-war-insurance-changes-in-coverage
For “an act of war,” some level of attribution must be acceptable to levy culpability on a state government. Cyber attribution is notoriously difficult and often requires substantial time and diligence to uncover the true perpetrators. While attribution efforts have improved, it is still an imperfect practice, even at the government level, which rarely shares how it determined actor attribution due to persevering classified sources and methods. While this may be understandable, it does require those without that special access to “trust,” even though governments may have larger political reasons to make such determinations public. Clever states can implement “false flag” operations, wherein actors attempt to hide their true identities by making it appear their actions were the work of another state, potentially causing mistakes in actor identification.
In the case of Lloyds, the company accepted government attribution to be enough to consider any state-on-state action that caused substantial damage enough to call it an act of war. But this is not to say insurance companies will rely on governments to assign blame for hostile cyber malfeasance, as their definitions do not bind them. For example, Lloyds defines cyber war as “cyber operations between states which are not excluded by the definition of war, cyber war, or cyber operations which have a major detrimental impact on a state.” The policy does not require any confidence of government attribution, which provides insurers liberal scope when making any determinations as being cyber-war related.
But what about state actors engaged in an attack during a period of tension but short of an armed conflict? The Russian-attributed Black Energy, Industroyer, and NotPetya attacks occurred during geopolitical tension between Russia and Ukraine, impacting critical infrastructure and, by extension, affecting civilians. Though these occurred long before the 2022 Ukraine invasion, they highlight the complexities of state cyber-attacks against another state, particularly concerning determining the intent behind the attacks (purposeful destruction or minor disruption?) and quantifying the actual effects caused by them. Were they deployed as instruments to conduct (cyber) war or just mechanisms to signal state animosity toward another state? Geopolitical tensions and area hotspots that spill over into cyberspace will invariably elicit similar hostile activity, some state-driven or state-sanctioned via proxies, and not all of it intent on perpetrating “cyber war.”
In much the same way, insurance companies helped codify another abstract causation, “Act of God,” so they may play a part in helping states on the international level codify the parameters by which cyber war and cyber-attack can be legally defined. The Act of God clause provided a legal definition for those accidents or other natural phenomena (storms, floods, tornados) caused without human involvement. It could not have been prevented by reasonable foresight. When attempting to define cyber war, similar challenges arise trying to contextualize a multi-faceted and enigmatic issue that has roots in traditional warfare, geopolitics, and the ability to inflict substantial specific and collateral damage. Moreover, failing to have such a definition has enabled cyber hostilities to perpetuate unchecked internationally. NATO made some headway in trying to reign this in when it acknowledged that a cyber-attack could trigger Article 5 of its defense clause but stopped defining what that attack would look like. What is left is an enigmatic “Redline” that, if crossed, could warrant retaliation, although what remains largely unknown, both to NATO and cyber aggressors.
The United Nations Group of Government Experts (GGE) and the Open-Ended Working Group (OEWG) have tried to codify responsible state behavior in cyberspace for several years. While there has been consensus that International Humanitarian Law applies to cyberspace, there has been less success in obtaining consensus regarding the specifics of cyber-related definitions, which has hindered progress. There may be a hesitancy to commit to any specific codification that could restrict states’ abilities to operate independently as they attempt to bolster and protect their own strategic interests and objectives. Still, the longer such terms go undefined, the more “acceptable” it will be for the types of cyber hostilities to continue without any meaningful way to deter and punish them. State-driven cyber-attacks will continue with watchful eyes seeing if an attack or campaign crosses an equally undefined “Redline” that prompts a measured response.
The more international insurance companies move toward not covering damages resulting from “cyber war,” the more they may ultimately help codify what cyber war is, even as nation-states continue to wrestle with the concept. Generally, insurance policies exclude coverage for losses from war-related activities, as such events are out of the control of the policyholders (attacks, bombings, control of territory). Similarly, insurers consider losses or damages resulting from state actor attacks or the product of geopolitical conflict not to be covered by cyber insurance policies for the same reasons. This is why prominent cases like Zurich Insurance v. Mondelez and Merck v. ACE America may ultimately prove pivotal in setting a precedent for what constitutes a cyber act of war and succeed where UN GGE and OEWG efforts have stalled.
The private sector is finding that it cannot separate itself from the larger geopolitical landscape, so many governments find that the private sector will be the driver of codifying what goes on against it and set standards that governments may tweak but ultimately follow. Regarding issues in cyberspace, most believe public-private cooperation is essential to dealing with the threats that transpire within the digital domain.
Since there are currently no definitions agreed upon by governments, insurance companies, and their paying clients, consider your organization is on its own to prevent and mitigate your losses from any cyber-attack.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.oodaloop.com/archive/2023/07/12/can-cyber-insurance-help-legally-codify-an-international-definition-for-cyber-war/
Comments