As the global fallout of the Russia-Ukraine war escalates, and Russia retaliates against sanctions through widespread cyber-attacks, a new “cyber pandemic” is predicted to spread around the world. This situation may cause very serious repercussions for organisations and societies that are caught unprepared.
Cybercrime expert Dan Thornton, a military veteran and CEO of cybersecurity awareness training platform GoldPhish, warns that while the world is rushing for cover from cyber-attacks and potential cyber warfare, the insurance industry finds itself in a precarious position – how does it define cyber war? And could it be on the hook for paying claims it hadn’t intended to cover? A major destructive malware attack intended for Ukraine spilling over into corporations could have major implications for an already fragile, yet booming insurance sector. Fragile, because such an event could have systemic consequences yet booming because the demand for cover against cybercrime has never been greater.
The impact of cyberwar on the insurance industry
Russia’s cyber retaliation poses a threat to businesses around the world, especially as more countries impose sanctions, but at the same time, most cyber insurers are citing cyberwar exclusion clauses in their contracts, which leaves vulnerable businesses in a precarious position.
“To put things into perspective, the cyber insurance industry totals $8 billion in gross written premiums annually. A major cyber war event, such as an attack on a country’s national power grid which could have massive ripple effects across society, would quickly cripple the insurance industry beyond repair. And insurers going under would be catastrophic for businesses that desperately need all other kinds of ongoing cyber insurance cover. This is why insurers have war exclusions – to cover them from events where they can’t afford the systemic fallout. Therefore, businesses cannot simply rely on their insurers to fix their problems. They need to be proactive in protecting themselves from cyber-attacks,” explains Thornton.
The challenge of attribution of blame
One of the main challenges insurers and policyholders have when it comes to understanding cyber threats and adversaries is attribution – the process of tracking, identifying, and laying blame on the perpetrator of a cyberattack or other hacking exploit. This is particularly pertinent in ransomware incidents where attribution is critical to ensure they do not fall foul of paying sanctioned entities – a list which is expanding year on year. Attribution can be extremely challenging for most businesses, especially if they have limited resources and understanding of the cyber threat landscape. A recent example of proving attribution is the SolarWinds attack, which saw thousands of companies’ data compromised by what the FBI and other investigators later attributed to an attack from the Russian government. The campaign likely began between March and June 2020, but remained undetected until December 2020, and Russia is still denying responsibility.
“If your business suffers an attack and can’t determine who to attribute it to or it turns out to be an act of war, it could turn into an insurance nightmare. It is therefore essential to safeguard yourself from attack in the first place,” says Thornton.
Why cyber insurance remains vital
Most businesses need cyber insurance for everyday cybercrime – therefore a thriving cyber insurance industry is in everyone’s best interest. Consider the fact that 2021 saw 50% more cyber-attacks per week on corporate networks compared to 2020, and this number is expected to rise in 2022, according to CybersecurityIntelligence.com. It’s also sobering to note that 19 out of 20 cyber security breaches are caused by human error – and in businesses that means employees, according to research by IBM and other sources.
“Suffering a cyber-attack as a business is a matter of ‘when’, not ‘if’, and it is impossible to eliminate the risk of an attack, regardless of your strategy. It is therefore essential that businesses prepare for a worst-case scenario and have the support they need to weather the storm – this is what insurance is for”.
As well as minimising business disruption and providing financial protection during an incident, cyber insurance may also help with any legal and regulatory actions after an incident that has triggered losses or liabilities. “Now more than ever, businesses should re-visit their policies and understand what it includes and excludes.”
Business should manage their risks better
Thornton recommends that businesses everywhere get proactive about their own cyber security by backing up their data, protecting their organisations from malware and security breaches, implementing a strong password policy, securing all devices, and running regular security awareness training for all employees.
Having a mix of technical, procedural, and human controls in place will make it easier for companies to qualify for cyber insurance and to ward off attacks that could lead to insurance claims. Many cyber insurers require clients to invest in a mix of training, prevention, detection, and response controls. Some insurers offer discounts if an organisation already has recognised cyber security defences in place and some will deny coverage altogether if a client is unable to demonstrate a basic level of cyber hygiene and are deemed to be too high risk.
“Prevention is always better than cure. We may be facing a cyber pandemic, but if all businesses practice good cyber hygiene we can beat it together,” says Thornton.