In 2017, Russia unleashed a cyber-attack known as NotPetya against Ukraine. And NotPetya was so powerful that it didn’t stop in Ukraine: it travelled on to many other parts of the world, disrupting operations at leading companies from the shipping giant Maersk to the snack giant Mondelez and causing an astounding $10bn in losses. State-backed cyber-attacks continue to cripple western companies.
The aggression clearly has a geopolitical purpose—but insurers are left cleaning up after it. Now Lloyd’s, the venerable London insurer, has decided to exclude state-backed cyber aggression from its cyber insurance policies, and other insurers are likely to follow suit. It is a decision which casts a new light on our darkening geopolitical reality and shows how businesses form the new frontline, as hostile states attack without using military force.
Confirmation of the fact that technology is changing the nature of warfare arrived on 16th August, in an administrative note from Lloyd’s to its underwriters. “When writing cyber-attack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers,” underwriting director Tony Chaudhry explained in the note. The insurer would, as of 31st March next year, no longer be covering catastrophic state-backed cyber aggression in its stand-alone cyber insurance policies. “We recognise that many managing agents in the market are already including clauses in their policies specifically tailored to exclude cyber-attack exposure arising both from war and non-war, state-backed cyber-attacks. We wish to ensure, however, that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings,” Chaudhry wrote.
It’s hardly a surprising decision. Cyber-attacks of all kinds are ubiquitous these days and can cause the affected company enormous losses. That’s why companies have cyber insurance. But the insurance cover—which goes back to the days when cyber-attacks were mostly perpetrated by criminals of varying ability—was designed to cover just such criminal activity, just as other forms of insurance cover theft, kidnappings and hurricanes. Cyber insurance wasn’t meant to compensate companies for losses incurred when hostile states attack them as proxies for their home governments.
And yet that’s what cyber insurance has morphed into: the insurance pays when a covered company or other organisation is harmed by an attack, regardless of who the attacker is. After the NotPetya attack, Mondelez claimed its $100m losses on its insurance policy—but its insurer denied the claim on the grounds that western governments had attributed NotPetya to the Russian government and that the attack thus constituted a war-like action and was excluded from standard insurance coverage. Mondelez sued, as did the pharmaceutical giant Merck, whose insurer had denied its $1.4bn claim on the same basis. But in January this year a US court sided with Merck, ruling that the firm’s war exclusion only applied to armed conflict. The insurer, New Jersey’s Superior Court said, hadn’t put its customers on notice that state-backed cyber-attacks would be excluded from coverage.
Compensating for $10bn losses after Russian and other state-backed cyber-attacks is clearly a daunting proposition for the insurance industry. In a report this January the Geneva Association—the insurance industry’s global association, which also functions as an industry think tank—warned that “accumulated losses of some cyber risks linked to HCA may not be able to be safely and sensibly absorbed by the private re/insurance sector.” (HCA stands for hostile cyber activity, which carries a lower burden of proof than cyber aggression directly attributed to a hostile government. It is often impossible to irrefutably attribute an act of cyber intrusion to a specific government.) Indeed, as I outlined in a report this summer, grey zone aggression—state-backed aggression below the threshold of armed military violence, hovering in the grey zone between war and peace—risks making parts of global business uninsurable. When the havoc wreaked on UK businesses by IRA attacks risked making terrorism insurance unviable, the UK government stepped in with guarantees to help insurers pay damages above a certain threshold. Together the insurance industry and the government created Pool Re, which continues to insure against terrorist acts. But there’s not (yet) a Cyber Re.
By excluding state-backed aggression from its cyber coverage, Lloyd’s now seems to have acted on the reality that warfare has changed beyond the traditional armed military violence. From next spring, catastrophic state-backed cyber activity will no longer be covered. Ciaran Martin, the founding CEO of the UK National Cyber Security Centre and now a professor at Oxford University’s Blavatnik School of Government, suggested it’s welcome that insurers like Lloyd’s are making their position clear, but he pointed out that “insurers and cyber security experts have a tendency to talk past each other, so more dialogue would help. In this case, there are some important ambiguities. One is what ‘catastrophic’ is supposed to mean: truly catastrophic cyber events are very rare. Second is the role of attribution. Sometimes governments feel it’s right to attribute but sometimes they don’t. That’s rightly a policy question for governments, not for insurers. So what if a government decides not to attribute? The French government, as a matter of policy, never does, for example.”
That’s a dilemma. If western governments attribute hostile cyber activity to a foreign government, then the firm and the insurer will at least know it’s excluded from coverage. But what if there is no clear attribution by a trustworthy government—should it then be treated as an insurable loss? Will the insurance industry need to set up an independent body that rules a claim within or out of bounds? Either way, cyber insurance is set to change. Until now, many companies have enjoyed the luxury of operating in a world of proliferating state-backed cyber aggression without having to worry too much about it, because they knew that any damages would be covered by their insurers. For that reason, some companies have also taken cyber protection less seriously than they ought to have done.
Starting next March, companies—and societies at large—are likely to discover the painful consequences of state-backed cyber aggression. Without insurance coverage, firms will have to bear the losses of the hostile activity themselves. A prudent step for Lloyd’s and the insurers likely to follow its lead; a frightening reality for companies and other organisations around the world. But the frightening reality is not insurance policies: it’s the grey zone aggression which targets daily life, and against which western countries have no effective defence strategy.