Insurers, lawyers, and business owners have been debating the question of what constitutes cyber warfare since long before the current invasion of Ukraine. Insurance policies frequently omit acts of war from their coverage because war is considered a catastrophic risk. And they have a history of applying the label of “warfare” to incidents that are only linked to geopolitical conflict indirectly, leaving businesses to foot the bill for very expensive cyberattacks.
The ongoing physical war in Ukraine and the increasingly intense online component of the conflict make now the right time to renew your understanding of your business’s cyber insurance policy. You should also assess your exposure to threats such as ransomware, DDoS attacks, and wiperware. Even if you are not doing business in the region, attacks like these often have spillover components, sometimes reaching second and third degree entities that were never in the original target group.
What Is Cyber Warfare?
There is no officially recognized, formal definition of cyber warfare. The Geneva Conventions outline who is and is not a combatant in a traditional, physical war. They also define war crimes. Unfortunately, the rules, established in 1949 and only lightly amended since, could not anticipate the internet.
Most industry experts agree that to be considered cyber warfare an attack must be perpetrated by a nation-state. However, some attacks carried out by terrorist organizations or non-sate actors seeking to further the goals of a hostile nation may also be considered acts of war. Targets of such attacks may include government and civilian infrastructure.
Direct acts of cyber warfare typically include espionage, sabotage, denial-of-service attacks, electrical power grid attacks, propaganda attacks, economic disruptions, and surprise attacks (massive attacks the enemy isn’t expecting, like a cyber 9/11 or Pearl Harbor).
Does Cyber Insurance Cover Acts of War?
Cyber attacks often have consequences well beyond the original target. Some insurers have argued that second and even third party victims of a geo politically motivated cyberattack fall under their cyber insurance policy’s definition of “warfare.”
The 2017 NotPetya attack was likely perpetrated by Russia primarily against Ukraine. Roughly 80 companies in the eastern European nation, including the National Bank of Ukraine, reported infections on the first day. But companies in France, Germany, Italy, Poland, the U.K., and the United States also reported incidents related to the attack.
U.S. food manufacturer Mondelez International suffered $100 million in damages from NotPetya. Their insurance firm, Zurich American, refused to pay because they considered NotPetya “an act of war” based on official government statements from the U.S., U.K., and Canada. Each country attributed the attack to the Russian conflict with Ukraine.
Some entities that operate in politically unstable countries may be able to purchase war or terrorism insurance. But companies like Mondelez had no reason to expect that, as a food manufacturer, they would be caught in the crosshairs of a battle between two former Soviet countries.
Other insurers, like Lloyd’s of London are trying to limit their exposure when it comes to cyberwarfare. In July 2020, Lloyd’s announced that it would no longer cover any costs stemming from war.
Attacks Specific to the War in Ukraine
Russia appears to be using wiperware as a tool in its cyberattacks on Ukraine. Wiperware, also known as “pseudo ransomware,” was detected by the Microsoft Threat Intelligence Center on January 13, 2022. The attack hit Ukrainian critical systems and leveraged malware with a Master Boot Record (MBR) wiper.
Wiperware is different from the ransomware we’ve become accustomed to. Typical ransomware attacks are financially motivated. Systems are held hostage until a ransom is paid to decrypt them. With wiperware, the attack is designed to destroy the victim’s systems. No money is exchanged; there is no opportunity to decrypt. A wiperware attack takes some time to complete–the hackers must maintain an open channel until all potentially useful files are deleted.
While wiperware attacks are new, they are not different from other attacks in the way they get access. Protecting your systems still involves a comprehensive understanding of your attack surface and a reduction of exposure wherever possible. Wiperware, like any malware, must enter your machine, exploit a vulnerability, and have time to run its processes. In addition to reducing your attack surface, other forms of protection include robust EDR software; continuous monitoring and analysis; vendor risk management; and a consistent patch program.
Review Your Company’s Insurance Policy
It’s never a bad time to review your cyber insurance policy to see what language is included around cyber warfare exceptions. If you can’t find any exceptions, check to see if your policy provider has recently issued any guidance or made any public statements regarding the war in eastern Europe.
When negotiating a policy, take time to understand all policy terms and any exclusions. If you are doing business in a high conflict region, it is especially important to be clear about your level of risk exposure.
If you do suffer a cyber security incident, be aware of whether it was perpetuated by a state actor or APT (Advanced Persistent Threat) and whether or not that determination is certain.