Russian Cyberattack against Ukraine poses threat to insurers too

Russian cyberattack against Ukraine and potentially other nations as part of its invasion is prodding cyber insurers to beef up language protecting them against losses, and has left policyholders uncertain about the extent of their coverage.

Insurers, still dealing with the fallout from an infamous hack in 2017, have ramped up efforts to refine policies and spell out exactly what does and doesn't get covered in the event of a retaliatory attack by Russia for sanctions and other actions imposed by the U.S. and its allies. Cyber coverage is a relatively young industry, and lacks defined standards of accountability.  

The issue of coverage “is one that's going to be answered on a case-by-case basis, based on the facts of any cyber incident and the specifics of an insurance policy,” said Darin McMullen, cyber product leader with insurance broker Aon Plc. 

Ukrainian officials have alleged that Russian operatives launched cyberattacksagainst government and corporate systems ahead of the invasion. The prospect of wider-ranging intrusions leaves insurers and policyholders uncertain about whether they will bear the costs if systems are breached.

Among the biggest providers of cyber coverage are Chubb Ltd., Axa SA and American International Group Inc., according to a 2021 report by the National Association of Insurance Commissioners.

At issue is the so-called war exclusion, a longstanding policy provision written by insurers. It states that losses inflicted by armed combat typically aren't covered. While cyber warfare isn't armed combat, the coordination of hacking and military action presumably could trigger the clause -- and force insurers to alter policy language.

“Carriers are just going to be making more updates to their policies and further outlining very specific things that will or will not be covered because I think they've been bleeding cash for the last couple of years,” said Mark Lance, senior director of cyber defense at GuidePoint Security.

Uncertainty for the industry and its customers also followed the 2017 NotPetya hack, an event U.S. officials tied to Russia, and which crippled companies including pharmaceutical giant Merck & Co. The question of whether Merck's $1.4 billion in losses were covered by its property and casualty policy ended up in court. 

In January, a New Jersey judge ruled that the insurers were unjustified in blocking Merck's claims and overreached in invoking a war exclusion. Defendants in the case included Munich Re, Lloyd's of London, Allianz SE and Zurich Insurance Group AG.

‘Learning Experience'

“It was a learning experience for the industry and now the insurers are much more aware of having to amend that definition of war, which has traditionally excluded or not addressed cyber attacks,” said Jennifer Rothstein, who heads cyber insurance and legal business development for computer security firm BlueVoyant.

She said that carriers have recently been working with brokers to clarify coverage and refine the questions asked as part of the underwriting process. In the meantime, premiums are going up, and the criteria insurers use to determine whether to take on risks are becoming stricter. That means getting covered is harder.

A December report from brokerage Marsh McLennan said that U.S. cyber-insurance pricing increased an average of 96% in the third quarter of 2021. The broker pinned the increase on factors including worsening losses brought on by an increase in the frequency and severity of ransomware claims, as well as the potential for a single attack to hit multiple policy holders at once.

There's no guarantee that Russia will use its cyber capabilities to punish countries that have imposed sanctions since the invasion. Still, the Russian government has been linked to high-profile hacks before, including a 2020 intrusion that breached U.S. government systems. Russia has threatened “consequences” for nations that interfere with its war. It has repeatedly denied engaging in malicious cyberattacks.