Russian digital warfare against Ukraine and potentially other nations as part of its invasion is prodding cyber insurers to beef up language protecting them against losses, and has left policyholders uncertain about the extent of their coverage.
Insurers, still dealing with the fallout from an infamous hack in 2017, have ramped up efforts to refine policies and spell out exactly what does and doesn’t get covered in the event of a retaliatory attack by Russia for sanctions and other actions imposed by the U.S. and its allies.
The issue of coverage “is one that’s going to be answered on a case-by-case basis, based on the facts of any cyber incident and the specifics of an insurance policy,” said Darin McMullen, cyber product leader with insurance broker Aon Plc.
Ukrainian officials have alleged that Russian operatives launched hacks against government and corporate systems ahead of the invasion. The prospect of wider-ranging intrusions leaves insurers and policyholders uncertain about whether they will bear the costs if systems are breached.
Among the biggest providers of cyber coverage are
At issue is the so-called war exclusion, a longstanding policy provision written by insurers. It states that losses inflicted by armed combat typically aren’t covered. While cyber warfare isn’t armed combat, the coordination of hacking and military action presumably could trigger the clause -- and force insurers to alter policy language.
“Carriers are just going to be making more updates to their policies and further outlining very specific things that will or will not be covered because I think they’ve been bleeding cash for the last couple of years,” said Mark Lance, senior director of cyber defense at GuidePoint Security.
Uncertainty for the industry and its customers also followed the 2017 NotPetya hack, an event U.S. officials tied to Russia, and which crippled companies including pharmaceutical giant Merck & Co. The question of whether Merck’s $1.4 billion in losses were covered by its property and casualty policy ended up in court.
In January, a New Jersey judge ruled that the insurers were unjustified in blocking Merck’s claims and overreached in invoking a war exclusion. Defendants in the case included Munich Re, Lloyd’s of London, Allianz SE and Zurich Insurance Group AG.
‘Learning experience’
“It was a learning experience for the industry and now the insurers are much more aware of having to amend that definition of war, which has traditionally excluded or not addressed cyber attacks,” said Jennifer Rothstein, who heads cyber insurance and legal business development for computer security firm BlueVoyant.
She said that carriers have recently been working with brokers to clarify coverage and refine the questions asked as part of the underwriting process. In the meantime, premiums are going up, and the criteria insurers use to determine whether to take on risks are becoming stricter. That means getting covered is harder.
A December
There’s no guarantee that Russia will use its cyber capabilities to punish countries that have imposed sanctions since the invasion. Still, the Russian government has been linked to high-profile hacks before, including a 2020 intrusion that breached U.S. government systems. Russia has threatened “consequences” for nations that interfere with its war. It has repeatedly denied engaging in malicious
--With assistance from Jordan Robertson and Katherine Chiglinsky.