Lloyd’s of London has announced that its insurance policies will no longer cover losses resulting from certain nation-state cyber attacks or acts of war.
In a memo sent to the organisation’s insurance syndicates, Underwriting Director Tony Chaudhry said that Lloyd’s remains “strongly supportive” of policies that cover cyber attacks.
However, as these threats become more widespread, policies could “expose the market to systemic risks that syndicates could struggle to manage”. He highlighted the particular risk posed by government-backed hackers, whose attacks are usually for political gain.
There have been countless nation-state attacks amid the war in Ukraine, with Russian hackers disrupting Ukrainian networks and systems to support ground operations.
Ukraine has used cyber attacks, but it’s not only the sides in direct conflict that are at risk. The countries’ allies have been warned that they could be targeted, with the UK government issuing several warnings.
Given the scale of these attacks, Lloyd’s said that policies that don’t already have a war exclusion must not cover – at a minimum – losses arising from war, whether one has been declared or not.
Policies must also exclude nation-state cyber attacks that “significantly impair the ability of a state to function or that significantly impair the security capabilities of a state”.
These changes will take effect from 31 March 2023, and will become binding at the inception or renewal of each policy.
How do you know if it’s a nation-state attack?
The obvious question following Lloyd’s decision is how one can know whether a cyber attack was conducted by a nation state. Whereas some criminal gangs take credit for their work in a bid to boost their reputation, state-sponsored attackers are rarely so public.
This makes attribution difficult, but forensic investigators can often determine if an attack was state-sponsored based on the sophistication of their methods.
State-sponsored attackers tend to be more meticulous and well-funded, plus they will pick their targets deliberately – usually going after governments and essential service providers. By contrast, most cyber criminals are indifferent to who they target, as long as they can steal sensitive data to sell on the dark web.
They often use off-the-shelf tools and exploit known vulnerabilities. Their targets tend to be any organisation with weak security controls, with healthcare firms, local governments and schools among the most frequently breached.
However, the differentiation between private criminal hackers and state-sponsored actors isn’t as clear-cut as it once was. Speaking to The Register, cyber security expert Jim Richberg said: “There are times when nation-states will act like criminals, using their tools and infrastructure, and sometimes vice versa.
“The clear line of sophistication and stealth that many have used as a common sense delineation has blurred. Yet, if you are going to pay out money you are likely going to look for something that is more ironclad and likely related to forensic evidence.”
Another issue is determining whether a cyber criminal is being directly supported by a government agency, such as Russia’s GRU, or if they are simply sympathetic to governments.
The war in Ukraine has seen criminal hackers on both sides using cyber attacks as a propaganda tool. For example, Russian hackers launched a phishing campaign using a Ukrainian soldier’s email address to disrupt efforts to help refugees flee the country.
Meanwhile, a group of Ukrainian hackers took the Moscow Stock Exchange offline and the group Anonymous, which has declared “cyber war” against Russia, said it had taken down RT News, the Russian state-controlled television network.
As Google’s Threat Analysis Group Senior Director Shane Huntley put it: “Attacks aren’t just nation-state or not […] We have hack-for-hire operators with both government and non-government customers. We have volunteer hacktivists operating on behalf of government causes, and cybercriminals operating with the tacit approval of states.
“Without clarity on where thresholds are, no insurance policyholder has any type of certainty of what risk they are mitigating.”
When is a cyber attack an act of war?
This isn’t the first time that the attribution of state-sponsored cyber attacks has affected the cyber insurance industry. In 2019, the US food giant Mondelez sued its insurance company for denying a $100 million claim filed after the NotPetya attack.
The confectioner, which owns Cadbury and Oreo, says it lost 1,700 servers and 24,000 laptops as the ransomware swept through its systems.
However, the insurer, Zurich American, said the damage was the result of an “an act of war” and therefore wasn’t covered in the policy, which pays out for “risks of physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction”.
The evidence suggests that NotPetya was indeed spread by state-sponsored attackers. The incident occurred in 2017, with rising tensions between Russia and Ukraine over the Kerch Strait, and a forensic investigation into the cyber attack revealed that Ukrainian organisations were among the first to be infected and accounted for 80% of all infections.
Later investigations found that the virus was simply masquerading as ransomware, and was in fact designed “to exact maximum destruction and damage”.
In that regard, it was a job well done, with one report estimating that insurers could expect to disburse more than $80 billion (£61 billion) as a result of the attack.
Zurich American initially agreed to pay out on its policy, but soon changed its mind, citing an exclusion for “hostile and warlike action in time of peace and war [by] a government or sovereign power”.
Mondelez called Zurich American’s decision “unprecedented” in court papers. Terrorism and acts of war exclusions are common in insurance policies, but no insurer has ever challenged a claim based on those exemptions.
Rob Smart, technical director at the insurance consultancy Mactavish, believes exclusions for acts of war were “a bit of a grey area” but added that it was unlikely the policy’s authors had cyber attacks in mind when inserting the exemption.
The dispute remains unresolved in what is surely a warning for organisations hoping to receive payment for nation-state cyber attacks.
Avoid uncertainty with IT Governance
Cyber insurance is an expensive but necessary part of modern business. With the recovery costs of a cyber attack reaching £3.6 million or more, a security incident could be catastrophic if you don’t have the right support in place.
The situation will be made even worse if you discover the policy you have paid for doesn’t protect you from all threats. And this isn’t the only way that insurers can claim an exemption on your policy.
You can also be refused coverage if the insurer determines that your organisation hasn’t implemented appropriate controls to prevent an attack. Many organisations get caught out by this, because they believe that the insurance itself acts as a protective measure.
With this level of uncertainty, you can understand why organisations are reluctant to pay for cyber insurance. However, with IT Governance’s Cyber Safeguard service, you’ll receive the support and assurance you need to protect your organisation and cover the costs of a security incident.
This all-in-one package provides cyber security insurance of up to £500,000 alongside expert cyber security guidance, which is based on best-practice advice from ISO 27001, the GDPR and the UK’s National Cyber Security Centre.
The service is available in three tiers – gold, silver and bronze – with each package designed to meet particular security and insurance needs.
Cyber Safeguard is part of IT Governance’s market-leading cyber-defence-in-depth solutions.
Our suite of offerings – which includes consultancy support, audits, e-learning and software – is one of the most comprehensive in the world and unrivalled in the UK.
Find out how Cyber Safeguard can help your organisation from just £300 a month.