The cyber insurance market reckons with the state malware threat 10 min read
The market-standard position has long been for loss or damage arising from war to be excluded from cover under most forms of insurance. Cyber liability insurance was frequently an exception.
Broad war exclusions are now, however, increasingly found in cyber liability insurance policies. In light of the position recently adopted by the Lloyd’s Market Association (LMA), such exclusions are likely to become market standard. This is important for insureds because the risk of cyber related losses arising from war (particularly in the current geopolitical environment) is significant.
A number of factors have combined to drive this trend:
- First, cyber operations are now a typical aspect of conflict between nation states (both as part of traditional war and also 'grey zone' warfare).
- Second, absent an exclusion, cyber operations, especially when backed by a nation state, could cause portfolio-wide losses that risk the capital adequacy of insurers. High-profile, state-backed cyberattacks such as NotPetya revealed this risk.
- Third, there is already conflict between nation states in Europe, and a genuine risk in the current geopolitical environment of further conflict.
This Insight explains:
- the threat of state-sponsored cyberattacks on your business;
- how the insurance market has responded; and
- what this means for your insurance cover.
Cyber operations are now a standard part of the offensive (and defensive) capabilities of a modern defence force. Governmental authorities across the Five Eyes alliance have also warned that state-backed attacks may occur outside of a 'traditional' war involving physical force.
- Five Eyes Cybersecurity authorities cautioned in an April Joint Advisory that Russia's invasion of Ukraine could expose organisations, particularly those involved with critical infrastructure, to an increased risk of malicious cyber activity—including destructive malware, ransomware, denial of service (DDoS) attacks and cyber espionage.1
- The US Cyber & Infrastructure Security Agency has also warned that state-sponsored cyber actors from the People’s Republic of China 'continue to exploit' vulnerabilities in order to establish 'a broad network of compromised infrastructure'.2
Australian businesses could be affected in a number of ways:
Direct or targeted attacks
Organisations could be targeted directly by:
- a foreign state (although this would seem unlikely absent an outbreak of war in which Australia was involved);
- an agent sponsored or directed by a foreign state (akin to a 'mercenary');
- a vigilante acting in the interests of a foreign state (who may also be state-sanctioned in some way); or
- criminal groups located in a foreign state (who are increasingly organised and well-funded, and may act opportunistically and have any number of motivations, including financial).
Those Australian businesses most at risk include businesses operating critical infrastructure or essential services, or perceived to have a particular association with the state involved in the conflict.
Australian organisations may also feel the effects of an attack by one of the abovementioned parties in an indirect way (eg as a consequence of an attack on an overseas network or supplier).
Insurers are increasingly wary of the substantial liabilities that may arise from these types of cyberattacks. Given the likelihood that numerous insureds will be affected at any one time, and the benefit of there being a 'standard insurer position' on exclusions, the LMA has published prescribed exclusions for state-backed cyberattacks in standalone cyberattack policies.
At minimum, to meet the LMA requirements, a policy must:
- exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion;
- exclude losses arising from state-backed cyberattacks that:
- significantly impair the ability of a state to function; or
- significantly impair the security capabilities of a state;
- clarify whether the cover excludes affected computer systems that are located outside a state that is affected by paragraphs (a) or (b) above;
- set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states; and
- clearly define all key terms.
These requirements are to take effect from March 2023, at policy inception or renewal. The LMA has also released a set of four new model war, cyber war, and cyber operations exclusions, which are said to meet each of the abovementioned objectives.
Prior to this announcement, Lloyd’s agents were already including exclusions for losses arising both from war and non-war, state-backed cyberattacks (with varying degrees of robustness in their wording). However, it will become the market position going forward.
The LMA's recent announcement will not directly bind other insurers underwriting business in Australia. However, the LMA's guidance is likely to be highly influential. In large programs, it is also highly likely that Lloyds market insurers will participate in excess layers. In the context of the increasing cyber-threat environment posed by nation states, we expect other insurers may follow suit and move to adopt similar-to-the-model clauses.
Navigating the LMA model clauses
The operation of these new exclusions is yet to be tested. We set out below two key initial observations on the model clauses.
(1) New terms = new confusion
Key terms and concepts are undefined, risking uncertainty and disputes.
For example, LMA 5566 excludes from coverage, among other things, a cyber operation that has a major detrimental impact on: (a) the functioning of a state due to the direct or indirect effect of the cyber operation on the availability, integrity or delivery of an essential service in that state; and/or (b) the security or defence of a state.
The expression 'major detrimental impact' is not defined, but appears to have been drawn from the UK Centre for Protection of National Infrastructure's Guidance. In the absence of the clarifying language included in the Guidance, it is unclear when the threshold of 'major detrimental impact' will be reached. For example, is it intended to be triggered only in the event of harm to human life (rather than just disruption to daily life)? If disruption, at what point is it major?
According to LMA 5566, essential services would capture (without limitation) financial institutions and associated financial market infrastructure, health services or utility services – indicating the conceivable breadth of this exclusion. Conceivably, this exclusion could be triggered if your business is in one of these industries and you are the victim of a significant cyberattack. Without clarification, your insurance coverage could be rendered obsolete.
(2) A 'robust' basis for attribution?
Insurers bear the onus of establishing that an exclusion applies. To rely on a war exclusion, a causal connection between the relevant war, or the actions of a nation state and the loss (depending on the exact wording of the exclusion), must be established.
The model clauses generally provide that:
- In determining attribution, the primary (but not exclusive) factor is whether the government of the affected state attributes the cyber operation to another state or those acting on its behalf.
- Where a state does not attribute the attack (or is unreasonably delayed in doing so), the insurer must prove attribution by reference to other available evidence.
In addition, insurers may rely on an 'objectively reasonable inference' as to attribution and refuse to pay out claims in reliance on this inference. Taken together, this approach raises a number of potential challenges from the perspective of policyholders, including the following:
- In the absence of a clear statement of attribution by an affected government (which rarely occurs in practice, and generally only where national security is threatened), there is significant room for disputes to arise between insurers and policyholders on the question of attribution.
- There is no clear timeframe for attributing an attack by other evidence, nor any parameters on what that evidence may be. Although it is in the insurer's interest to establish attribution, it is not clear what a reasonable period may be to resolve this question, nor how disputes between the parties may be resolved.
- Difficulties in establishing attribution (as set out above) may lead to a delay or refusal by the insurer to indemnify your business for losses arising from a ransomware attack. The model clauses potentially permit insurers to rely on an inference of nation-state involvement for a protracted period of time, and whether an attack was 'under the direction or control of a nation state' may not be clear.
Without clarification of the model clause wordings, there may be significant delays in your insurer confirming indemnity in the event of a cyber-attack, with flow on consequences for your business' cyber response (including any ransom payment decision).
In practice, it can be difficult to attribute a malware attack to a particular actor (especially a nation state) or to determine its motivations. Doing so will generally depend on the public statements made by government agencies of nation states (such as the statement made by the US in May of this year attributing certain cyberattacks on Ukraine to the Russian State).3 For example, a state may retain private contractors (akin to mercenaries) to carry out a cyberattack in furtherance of its objectives, or it may sanction or encourage private actors to take the same measures. While the former scenario is reasonably straightforward, in the latter, it is far from clear that the relevant conduct should be characterised as by or on behalf of the nation state.
- Engage with your broker ahead of policy renewal to understand what changes may be on the horizon. While little may be done to resist the inclusion of war exclusions in cyber insurance products, it is still important to consider the proposed wording carefully and scrutinise your insurer's position.
- Consider your risk exposure to a sophisticated or state-backed cyberattack. Relevant factors include whether your business may be perceived to be aligned with either side of current global conflicts or regional disputes, or whether you hold sensitive data (such as health information) that may attract threat actors. You should keep track of any ACSC warnings that may apply to you.
- Scenario test with your broker any new exclusions against your risk exposure. For example, consider whether an attack on your business may have a 'major detrimental impact' on the functioning of essential services in Australia, and if so, whether this may jeopardise your coverage position.
- Build hypothetical scenarios into your cyber response planning. Ensure you understand how your business would respond if it were the victim of a cyberattack by a nation state, state-backed actor, vigilante or other cybercriminal.
- Give thought to how any delays in attribution might fit within your broader incident response. Determining attribution can be a fraught and protracted process. You should consider whether you are prepared to incur any expenses without prior approval from your insurer in the event they delay or withhold approval if attribution is unclear. Build these considerations into your cyber incident response plans and playbooks.
Half a decade after NotPetya, affected companies continue to grapple with its aftermath and the unresolved question:
Who should foot the bill for the costs arising from the Russian malware attack that took down networks across the globe and caused billions of dollars in damage?
While minimal legal guidance has emerged from the series of legal disputes that have arisen on this question, NotPetya continues to drive significant change in a hardening cyber insurance market.
|Malicious malware concealed in M.E.Doc software update impacts 65 countries and around 49,000 systems worldwide.
|UK, US5 and Australian6 governments attribute the attack to the Russian State.
|A New Jersey Court finds in favour of insured company Merck & Co that an Ace American property damage insurance policy only excluded a physical act of warfare (armed conflict) and not a malware hack.7
|LMA releases its recent market bulletins with guidance on cyberattack coverage and model clauses for introduction by March 2023.
|Mondalez International settles a 2018 lawsuit against its insurer Zurich American over more than $100 million in claims related to the NotPetya cyberattacks (with no clear legal precedent as a result).8
Australian Cyber Security Centre, CISA, FBI, NSA, and international partners issue advisory on demonstrated threats and capabilities of Russian state-sponsored and cybercriminal actors (22 April 2022) (https://www.cyber.gov.au/acsc/view-all-content/news/cisa-fbi-nsa-and-international-partners-issue-advisory-demonstrated-threats-and-capabilities-russian-state-sponsored-and-cyber-criminal-actors) ; Australian Cyber Security Centre, Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure (21 April 2022) (https://www.cyber.gov.au/acsc/view-all-content/advisories/russian-state-sponsored-and-criminal-cyber-threats-critical-infrastructure)
CISA, Alert (AA22-158A) People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices (10 June 2022) (https://www.cisa.gov/uscert/ncas/alerts/aa22-158a). See also CISA, Alert (AA21-201A) Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 (21 July 2021) (https://www.cisa.gov/uscert/ncas/alerts/aa21-201a).
US Department of State, Attribution of Russia’s Malicious Cyber Activity Against Ukraine, (Press Statement, 10 May 2022) (https://www.state.gov/attribution-of-russias-malicious-cyber-activity-against-ukraine/).
National Cyber Security Centre, "Russian military ‘almost certainly’ responsible for destructive 2017 cyber attack" (News) (https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack).
The White House, Statement from the Press Secretary, (15 February 2018) (https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-25/).
Minister for Law Enforcement and Cyber Security Hon. Angus Taylor MP, Australian Government attribution of the ‘NotPetya’ cyber incident to Russia (16 February 2018) (https://www.dfat.gov.au/sites/default/files/australia-attributes-notpetya-malware-to-russia.pdf).
Merck & Co. Inc. vs. Ace American Insurance Co. et al (NJ Sup Ct, L-002682-18, 13 January 2022).
Christopher Burgess, Mondelez and Zurich’s NotPetya cyber-attack insurance settlement leaves behind no legal precedent, (4 November 2022) (https://www.csoonline.com/article/3678970/mondelez-and-zurich-s-notpetya-cyber-attack-insurance-settlement-leaves-behind-no-legal-precedent.html).