Cyber Insurance’s Battle With Cyberwarfare: An IW Special Report

Cyber war is at our digital doorsteps—and if some observers are to be believed, has crossed the threshold and entered our daily existence. While it’s certainly true that nation-states across the world now approach cyberspace as another operational domain, what actually constitutes a declaration of war in this dimension is the subject of heated debate.

The question hinges on a wide array of philosophical, semantic, and legal questions, most of which are unlikely to be definitively resolved in the near future. But the implications are more practical and immediate. Whether or not a given attack that affects private industry is classified as cyber war can have substantial impacts on whether the fallout is covered by a cyber insurance policy.

President Barack Obama, for example, referred to a destructive 2014 ransomware and doxing cyber attack on Sony Pictures Entertainment that cost an estimated $35 million officially as an act of “cybervandalism.” However, the incident was officially attributed to attackers sponsored by the North Korean government, the Obama administration issued new sanctions against North Korea, and Senator John McCain called it a “new form of warfare.” Sony’s insurers ultimately paid out. This is less of a certainty for future attacks.

In July 2016, eighteen months after those sanctions were issued, NATO recognized cyberspace as a “domain of operations.” This means that NATO is committed to collectively defending allies in cyberspace just “as effectively” as it does in air, on land, and at sea. Yet it did not define what constitutes an act of cyber war. 

“This fundamental uncertainty continues to inhibit the development of robust, socially beneficial cyber insurance markets,” claims a working paper issued by the Carnegie Endowment for International Peace in 2020. A 2017 analysis of more than 100 cyber insurance policies found that only 13% of them explicitly covered acts of cyber war or cyberterrorism.

The ongoing legal battle between Chicago food manufacturer Mondelez International, Inc. and Swiss-based Zurich Insurance Group over the latter’s liability for more than $100 million in damage caused by the 2017 NotPetya attacks—considered the costliest cyberattack in history—may provide some precedent for how coverage is approached in the future. In the meantime, firms like Lloyd’s of London have acted preemptively. In November 2021, the insurer issued a detailed explanation of why it will no longer be covering damage sustained during an act of cyberwar.

Here, Information Week dives into the literature on the subject and speaks to four cybersecurity experts in the hopes of penetrating the fog. Don’t hold your breath though—the best we can hope for at this point is the identification of known unknowns.

How NotPetya Sets Precedents on War, Insurance

The June 2017 NotPetya attacks were initially aimed at Ukrainian companies, however, they quickly spread to organizations throughout the world. NotPetya, so-named because they used a modified version of the Petya ransomware first deployed in 2016, is technically ransomware, but the attackers did not typically use it to foist ransoms from victims, but rather to wreak havoc and destruction — encrypting, deleting, and spreading like a worm. NotPetya caused some $10 billion worth of damage across over 60 countries. In February 2018, seven nations, including the United States, formally attributed the attacks to state-sponsored actors in Russia, though the country has never accepted responsibility.

Zurich Insurance vs. Mondelez

It is on this basis that Zurich Insurance Group denied claims by Mondelez for damage to some 1,700 servers and 24,000 laptops as well as lost orders and other economic damages. The all-risk property insurance policy taken out by Mondelez contained exclusions for “hostile or warlike acts” by government or sovereign powers. 

The policy did, however, include provision for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction.” Zurich later rescinded its initial denial and offered a partial payment; but then backtracked and withdrew that offer as well. 

Mondelez countered with a lawsuit in the Circuit Court of Illinois in October 2018. Observers wait with bated breath for the ruling, which is widely believed to offer useful precedent for similar cases.

Is collateral damage from such an act, geographically distant from the intended target, and likely unintended, excluded from coverage in the same way as, say, a building bombed in a calculated assault by one power against another? And what impact do government declarations have on the legal decisions that ensue?

Merck vs. Ace American

A January 2022 ruling in New Jersey court in favor of pharmaceutical giant Merck may serve as an early bellwether. The company, also affected by the attacks, sued more than 20 of its insurers, citing $700 million in damages. In a pivotal decision, the company was awarded some $1.4 billion from one insurer, Ace American. 

The opinion indicated that the war exclusions contained in that policy were applicable only to armed conflict—signaling that they are more appropriately interpreted as referring to the ramifications of traditional warfare rather than acts of aggression committed in the novel cyber landscape.

CyberInsuranceandWar@3x_(1).jpg
Timeline of events relevant to cyberwar and cyber liability insurance, including NotPetya and the Russia-Ukraine conflict

Insurers’ definition of cyberwar

Companies navigating these uncharted hinterlands encountered a flag in the sand, though, when in November 2021 insurance firm Lloyd’s of London issued a series of four exclusion clauses categorically denying coverage of cyberwar events. While the clauses were issued in the company’s marketing association bulletin and allowed individual underwriters flexibility in applying them to individual policies, they were widely interpreted as signifying a shift toward non-coverage. All of Lloyd’s cyber policies are expected to include some variation of these clauses going forward.

Lloyd’s of London’s definition of cyberwar broadly includes “cyber operations between states which are not excluded by the definition of war, cyber war or cyber operations which have a major detrimental impact on a state.” Formal attribution is not necessary for exclusion, an important caveat that would allow for broad latitude in making determinations of whether a given event is actually cyberwar or not.

“I think you’re going to see a lot more of that, unless there is legislation that comes out that more specifically defines cyberwar. I don’t think we’re really seeing it at this point,” notes Adrian Mak, CEO of AdvisorSmith. The language in the individual contracts is “what is driving the coverage at this point. And also, interpretation of that [language].”

While some hailed this salvo as a positive development that helped to refine the definition of cyberwar within the industry, others feared that such narrow exclusions might discourage some organizations from taking out cyber insurance policies at all.

“A lot of policyholders are going to reconsider their purchases,” Mak says. “Or they’re going to have to negotiate really hard with their insurance companies about what is and isn’t covered.”

Legal and governmental concepts of cyberwar

There is little agreement on what constitutes cyberwar. Whether or not it meets the qualifications of traditional war according to various national and international definitions is up for debate.

“There’s never going to be anything that’s exclusively ‘cyberwar.’ Why would there be?” says Kenneth Geers, analyst at Very Good Security and nonresident senior fellow at the Atlantic Council. “You’re always dealing with nation-states trying to coerce an adversary (or a friend) to do something. They’re going to use various tactics to get there. Cyber is certainly one of them.”

“It really does become an issue for the standalone policies. There’s uncertainty about what these words mean. From the insurance standpoint, they don’t know if they’re on the hook for it. And as a policyholder, you don’t know whether you’re going to get a claim paid,” says Daniel Garcia-Diaz, managing director of financial markets and community investment at the U.S. Government Accountability Office.

Definitions of traditional warfare

A couple of the most relevant definitions of traditional war are contained in the following documents:

  • U.S. Code: The U.S. Code defines war as “any act occurring in the course of— (A) declared war; (B) armed conflict, whether or not war has been declared, between two or more nations; or (C) armed conflict between military forces of any origin.”
  • The Geneva Conventions: Article II of this series of international agreements signed between 1864–1949 defines war as “declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if the state of war is not recognized by one of them.”
  • United Nations Charter: The UN Charter Article 2(4) notes that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” Article 51 states that “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.”

More recent definitions of cyber warfare

Given that these definitions were conceived well before the advent of cyber aggression, their applicability is ambiguous at best. A number of more recent conventions and statements shed a bit more light—but not much.

  • The Budapest Convention: Also called the Convention on Cybercrime, it came into force in 2004. It establishes some more concrete definitions of cybercrime, but does not mention cyberwar.
  • The Tallinn Manual: This document, created in 2009 by an international group of experts and later updated, claims that “cyber weapons are cyber means of warfare that are by design, use, or intended use capable of causing either (i) injury to, or death of, persons, or (ii) damage to, or destruction of objects.” It also states that the “the law of armed conflict applies to cyber operations as it would to any other operations undertaken in the context of an armed conflict.”
  • A 2015 report from the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: This report establishes a series of norms for cyber interaction. Notably, it specifies that “States should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technologies (ICTs).” It also suggests that “States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty.”
  • The U.S. Department of Defense Law of War Manual: The 2016 updated version notes that “DoD has recognized cyberspace as an operational domain in which the armed forces must be able to defend and operate, just like the land, sea, air, and space domains.” It further specifies that “if the physical consequences of a cyber attack constitute the kind of physical damage that would be caused by dropping a bomb or firing a missile, that cyber attack would equally be subject to the same rules that apply to attacks using bombs or missiles.”
  • The Cyber Diplomacy Toolbox: This 2017 framework issued by the Council of the European Union indicates that “malicious cyber activities might constitute wrongful acts under international law and … that States should not conduct or knowingly support ICT activities contrary to their obligations under international law, and should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.”

While these documents offer some encouraging formalization of the concept of cyberwar, they leave a number of questions unanswered. Perhaps most prominently, they do not address economic consequences outside of property damage, which will continue to be a major question in cyber insurance claims. They also fail to pinpoint what would actually constitute a declaration of cyber war, a crucial distinction that will almost certainly have implications for insurance coverage.

The meaning is fluid, Geers observes. “The hacking has to begin before the shooting starts,” he claims. “That’s going to try to take place in peacetime. A lot of it seems to be on private networks. We’ve known that since the [Critical Infrastructure Protection directive] was published in 1998.”

“Not all cyber attacks clearly result in physical damage,” adds Garcia-Diaz. “In the absence of physical damage, insurance companies may not pay out.”

Academic investigations of cyberwar and cyber insurance

A range of scholarly investigations conducted by both private and governmental organizations have further attempted to refine the definition of cyberwar—and assess its relation to insurance coverage.

A 2021 report by the U.S. Government Accountability Office analyzed an array of research on the subject and found that “terms commonly used in cyber policies are not consistently defined.” The report observed that “no global consensus exists on the exact behavior or criteria that define a cyber event as either terrorism or warfare.” It concludes that the lack of common definition will make it difficult to standardize policy language.

An independent analysis of 56 cyber insurance policies in 2019 validated this finding. While cyberwar exclusions were increasingly standard after 2015, what actually constituted cyberwar varied widely. Interestingly, starting in 2011, cyber terrorism coverage became more common.

The Geneva Association, an insurance industry think tank, issued a 2020 report that proposed some common language that might be used. The report acknowledges that a wide variety of malicious cyber activity falls somewhere between the current, highly ambiguous definitions of cyberwar and cyber terrorism. It defines cyberwar as malicious activity perpetrated by a nation-state—and requiring a formal declaration. Cyber terrorism, on the other hand, is malicious activity carried out in the name of political, religious, or ideological interests. The association suggests that anything short of declared war be considered hostile cyber activity (HCA), which could then be assessed as its own category of risk.

A 2017 synthesis of policy reports and interviews with industry professionals found some movement toward explicit cyberwar exclusions. There was little agreement on whether this was a positive development. On one hand, it was thought that these exclusions might facilitate a greater push for standardized wording. But some interviewees thought that they would make it difficult to tailor risk for individual clients and that these exclusions would remain difficult to enforce anyhow. The authors did offer one concrete solution: the government certification of acts of cyberwar, which might serve to provide official confirmation and disambiguate instances in which a formal state of war was not immediately clear.

A 2021 paper notes, however, that the definition is further complicated by definitions of territoriality, sovereignty, and state monopoly on the use of force. Because of the decentralized nature of the internet, it can be difficult to ascertain where an attack originates and where it is perpetrated. Both aggressor and victim may be geographically distant from the nation-states with which they are associated. Thus it can be nearly impossible to determine whether an attack on a private enterprise was, say, perpetrated by an individual—but tacitly sponsored by a state—and whether the intention was purely financial or an attempt at national destabilization.

Protecting Yourself from Cyberwar Events

ransomware.jpg

Aggressive cyber hygiene is probably the best protection available against the threat of cyberwar at this point. These procedures differ little from those that protect against cyberattacks perpetrated by private actors. Multiple data backups, created on a regular schedule, multi-factor authentication, patching software, educating employees about phishing and other scams, and creating an incident response plan can eliminate or at least mitigate the damage caused by a cyberwar-type event.

“As the forensics improve, and we get a little bit better vernacular, that you’ll start to get some more guidance,” suggests Daniel Soo, a principal in Deloitte’s cyber practice.

Geers adds that many companies, especially those with international reach, ought to consider having geopolitical analysts on their teams. “Malware propagation is going to follow current events,” he claims, citing his own experience at Comodo Cybersecurity, where he recalls seeing huge clusters of malware erupting in areas where significant news stories were unfolding. Mapping these events can help security teams to target their resources, in both the short and long term.

Soo also recommends that firms “stay in lockstep with law enforcement” and seek advisement from the appropriate government agencies.

Painstaking discussions with insurers have also become a necessity. Organizations would be well-served to assess the ambiguities in their current cyber insurance policies and initiate dialogue with their agents on the exact meanings of their wording.

“That’s something that folks really have to be in tune with in order to make sure that they understand what gets covered in their policies,” Soo advises. He also urges companies to check their coverage in individual jurisdictions, as it may vary geographically.

If gaps are identified, renegotiation is in order. And if those negotiations fall short of full coverage, additional coverage should be secured. This is particularly true for companies that until now have relied on all-risk insurance or property insurance.

Broader Proposals Addressing Cyberwar

As extraordinary and exotic as the cyber landscape is, we may find some useful guidance in the lessons of history.

The Federal Deposit Insurance Corporation (FDIC) was founded in 1933 with the passage of the Banking Act, signed by President Franklin D. Roosevelt. This government-backed corporation continues to serve as a failsafe for funds deposited in American financial institutions. In a similar vein, the Terrorism Risk Insurance Act of 2002, which has been extended to 2027, provides a government backstop for insurance claims related to certified terrorist incidents over $200 million.

A 2022 paper proposes the creation of a Federal Cyber Insurance Corporation (FCIC) that would provide similar protections to insured parties in the event of certified cyber war events.

Other experts, including Brad Smith, vice chair and president of Microsoft, have called for a Digital Geneva Convention. While an agreement of this type would be unlikely to put a stop to international cyber aggression, it might provide a solid basis for discouraging such attacks and a means of assessing them in an objective manner. This would in turn provide a legal framework that could inform the development of a vital and adaptable insurance industry capable of underwriting the vulnerable aspects of the private sector without assuming unknown risk.

In the meantime, some are taking less abstract measures. “The Department of the Treasury and the National Association of Insurance Commissioners (NAIC) are collecting more granular information about cyber insurance policies,” notes Garcia-Diaz. Still, these analyses will take time to work their way into industry standards, he cautions. “This foundational information needs to be fully developed in order to have a working cyber insurance market that is accessible, available and affordable for policyholders.”

“You’re definitely going to see insurers rewrite their policies to be more specific about what is and isn’t covered,” Mak predicts. Expect premiums to rise, though, he says. “That would expose insurers to a much greater range of losses than the way that they believe they have constructed the policies at this point.”

“Ultimately, policyholders want to be protected for things that they can’t predict,” he says. “Insurers want to have policies at the end of the day. The market will figure it out.”

What to Read Next: