Nation-State Cyber Attacks and Insurance Response: Revisiting the War Exclusion

The Russian invasion of Ukraine has prompted renewed concerns from many cyber insurance policyholders as to the insurability of nation-state sponsored cyber attacks. In a previous Woodruff Sawyer blog post, we have outlined the potential broader impact on marine cargo policies, property policies, and insurance rates overall, but it is worthwhile to further explore the impact to cyber insurance. Organizations worldwide remain concerned about increased cyber threats due to the ongoing Ukraine-Russia conflict.

Very recently, the Five Eyes Intelligence Alliance (cybersecurity agencies in the United States, United Kingdom, Australia, Canada, and New Zealand) issued an alert that warns organizations within and beyond the Ukrainian border of increased malicious cyber activity from pro-Russian hackers in response to the “unprecedented economic costs imposed on Russia” and Ukrainian support provided by the US and others. Cyber insurance coverage for state-sponsored attacks remains an especially important topic for cyber liability buyers, and we believe there are a couple key policy provisions and recent insurer directives to consider when evaluating potential insurance response.

The War Exclusion: What Does it Mean to Policyholders?

Cyber insurance policies—like every other type of insurance policy—have a “War Exclusion.” Typically, a war exclusion clause stipulates there is no coverage for any damages because of hostile or warlike actions by a state or its agents. Insurance “carve-backs” are provisions identified in an insurance contract clause that overrule an exclusion. Most cyber policies today include carve-back language stating that the exclusion does not apply when the attack is considered “cyberterrorism.” To best understand cyber terrorism, it’s a term generally defined as the premeditated use of or threat to use disruptive activities against an IT network to cause harm, further social, ideological, religious, political, or other similar objectives. To date, this carve-back has allowed many nation-state attacks on private companies to be covered by a cyber insurance policy.

Some examples include the covered losses stemming from the Not-Petya cyber attack in June 2017. This attack, attributed (by the US and UK governments) to Russia’s military intelligence agency (GRU), originally targeted a Ukrainian accounting software and ultimately impacted other multinational companies such as Merck, Mondelez, and FedEx. More recent examples are the losses from the SolarWinds cyber attack in 2020 (also attributed to Russian intelligence service actors) that went undetected for months and spread via their proprietary software Orion, infiltrating 18,000+ government and private networks.

With the ongoing Ukraine-Russia conflict, the prospect of a carrier invoking the war exclusion to deny future nation-state cyberattack claims is heightened. Notably, the Lloyd’s Market Association (LMA) has recently indicated a preference for Lloyd’s syndicates to exclude nation-state sponsored cyber-attacks under the war exclusion with the introduction of an “attribution of a cyber operation to a state” provision.

This would be a new approach to how Lloyd’s syndicates have been responding to nation-state activity. Importantly for this Lloyd’s directive, application of the exclusion requires affirmative attribution to a nation-state sponsored attacker, and attribution for cyber attacks remains very tricky. Between the attribution challenges and the lack of a similar response from the rest of the insurance marketplace, we have not seen a significant impact on the insurance coverage from this directive to date. However, if the war in Ukraine continues for an extended period and private companies increasingly become victims of targeted nation-state attacks, the cyber marketplace may deem the risk too significant to insure.

Cyber Risk & OFAC Sanctions

Another cyber insurance concern relates to the US Treasury Departments’ Office of Financial Assets Control (OFAC) Sanctions list. Cyber insurance providers, and the appointed breach response vendors, must consider the individuals, entities, and/or countries behind an incident, most notably to ensure that the attackers are not a target of economic sanctions. There are some prolific, ransomware cybercrime groups who have closely aligned themselves with Russia’s interest, and it is possible these groups could eventually become placed on the OFAC Sanctions List (refer here to the OFAC SDN List for latest complete list).

Insurance carriers will not reimburse any ransom payment to a sanctioned entity on this list in direct violation of OFAC regulations, as it can result in the imposition of steep monetary fines and penalties ranging up to $20 million depending on the offense. It is important to note that these monetary fines and penalties apply to both the entity paying the potential ransom, as well as any companies that facilitate the payment—including cyber insurance companies.

This introduces the possibility that victims of ransomware attacks may not get reimbursed by their cyber insurance carrier if they elect to pay an extortion demand. We believe an important takeaway is that companies should continue to focus on implementing best practices for cyber incident prevention and response, particularly around resiliency. That way, if they fall victim to a ransomware attack, they have the option of recovering from backups and avoid the need to engage with the attacker and make a ransom payment.

For more information, you can find a resourceful list of ransomware best practices in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide, as referenced in the Department of Treasury’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments article. Please also be sure to review our previous blog post on the major considerations to account for when deciding whether to make an extortion payment arising out of a ransomware attack.

Understanding the Impact of Russia-Ukraine Invasion

In response to the evolving threat, many cyber insurers are starting to ask more questions about a company’s operations and exposures in Russia and Ukraine. Insurance carriers are often asking about any physical presence, any reliance on suppliers, and any use of Information Technology infrastructure in Russia, Ukraine, and/or Belarus.

Other insurers have begun adding territory restrictions to every cyber policy they write going forward. The territory restriction provisions are typically excluding any coverage for entities located in Russia, Belarus, and Ukraine, as well as coverage for losses arising out of an interruption or attack on information technology assets that are located or housed within Russia, Ukraine, and/or Belarus.

This subject remains fluid and it will be critical to keep a close watch on any developments in response to additional threat activity, changes in insurer behavior, and introduction of new exclusionary language.