What happens when you think you have something valuable locked away in a safe place for an emergency, only to find out it is not available when you need it? Apart from expected disappointment, panic may set in.
Now, think of your insurance coverage as the “valuable something” you no longer have access to because of some new guidance or exclusionary measure. This is the road we are on, and state-sponsored cyberattacks are trending into exclusionary measures. Recently, Lloyd’s of London solidified its position that state-sponsored attacks would not be covered under its cyber insurance policies.
Insurance markets are doing the math and have come to a conclusion: This coverage may be too costly.
What is cyber war?
To this day, no uniform definition of a state-sponsored cyberattack exists, at least from a legal perspective. Declaration is more instinctual, the “you know it when you see it, but can’t really define it” feeling. Unlike kinetic warfare, with a clear “point a-to-point b” (think of a missile strike), no such equivalent exists in cyberspace (unless an actor is trying to send a message, one as subtle as throwing a brick through the window). Today’s technology permits actors to obfuscate, hide, deceive, dwell and elude all forms of attribution.
Even technically distinct practices, such as Computer Network Exploitation (CNE) and Computer Network Attack (CNA), are a continuation of each other. An astute legal mind or crafty wordsmith could make the case that a CNA is not possible within a CNE, therefore saying either constitutes a possible act of war.
The power of language
It all muddies real fast, which may, in part, explain lawsuits that followed the NotPetya attacks, where insurers stated that the cyberattacks occurred during a “time of peace” in a “warlike” fashion as a means to avoid payment. These scenarios are so convoluted, as, on the one hand, government officials, media outlets and pundits repeatedly state we are in a “cyber war” but that message bombardment can give insurers the carpet-sweeping ability to suggest, “Hey, it’s wartime, exclusions apply, no payout.”
Definitions are crucial, especially in contract law, and even more recently, for regulatory bodies, such as the U.S. Securities and Exchange Commission (SEC), and their newest rules for disclosure. Without clear and unambiguous definitions, expect insurers to offload ambiguous risk.
Is cyber war the event horizon for insurers?
In astronomy, there is a theoretical concept of a boundary surrounding a black hole – the “event horizon” – where no light or radiation can escape. More colloquially, it can be called “the point of no return.” Insurers may be sensing “cyber war” as part of policy could be the event horizon to crash their industry. Therefore, language is key and customers need to be on the lookout for phrases, clauses and interpretations that can negate coverage. Here are some examples:
- Who will have the ability to determine the attribution of the attack? The insurer? The victim? Independent third-party digital forensics and incident response firm? A security research group tracking advanced persistent threats? The government? Attribution could be the trigger of payment, therefore authority to determine attribution holds all the cards.
- Are there timeframe constraints for declaration and attribution? Unlike a missile strike, where points a and b are clearly defined, and time to travel from a to b is also easily measured, cyberattacks do not possess the same attributes. Expect constraints around these parameters, including the ability of the insurer to have the final say in the matter. This situation is of course problematic for potential victims due to added investigatory pressures (e.g., the need to get the investigation done within x amount of time, otherwise coverage could lapse).
- Limits on nation-states or related third parties? Unless there is some dastardly intent or blatant trolling, do not expect a press release from Country 1 stating, “Yesterday, we attacked Company Z, resident of Country 2, by means of cyberattack.” Not happening. Misdirection and obfuscation are part of this game. Therefore, willful acts of “turning a blind eye” to criminal misdeeds may be in play.
Let us put these three items together for a moment, to see how they could operate in practice. Assume attribution, with high confidence, is possible. And then assume that attribution has been made within a reasonable timeframe. Now, assume Country 1 and Country 2 are engaged in a proxy war through Country 3 — no formal declarations, just a proxy. Country 1 decides to impose economic sanctions on Country 2. In return, Country 2 turns a blind eye to native cyber criminals conducting attacks against Country 1 organizations.
The most important factor: Seek clarity in language
Is the scenario above cyber war? Is this an extension of cyber war? Is it a crime? Is it a transnational crime? Who has jurisdiction to enforce the law? Or is it just fog?
No clear language or common framework exists in cyberspace to address this scenario. From this scenario alone, you can hopefully appreciate that nothing, and everything, can be considered cyber war in today’s environment, based on framing.
Therefore, ambiguity is likely a driving reason insurers are starting to drop certain types of events and putting up bright borders, especially since a recent $1.4 billion payout was awarded to the policyholder because the language in the policy was meant to apply to “armed” conflict.
What did we say above about definitions and the need for clarity? The judge said in the ruling: “The words of an insurance policy should be given their plain meaning, but when language used creates ambiguity, the policy should be interpreted to conform to the reasonable expectations of the insured.” [Emphasis added.] Translation: If the language is unclear, side with the insured.
You can be absolutely certain that the insurers will close this gap, and Lloyd’s recent move demonstrates just that. Insurers are definitely in the risk management business.
What to seek in a policy?
Ultimately, a policyholder – much like an insurer – requires bright borders for what is covered. Are ransomware extortion payments only covered or do coverage costs include a provision to rebuild infrastructure as well? Are operating expenses limited to incident recovery or are there business interruption payments also? Are separate policies required for business interruption? There is never any harm in playing out a scenario and going back to the insurer to see what would be covered. The market gives you choices but also requires homework. Don’t be shy to ask questions or perform research as it’s the best method to make sure your “locked away valuables” are there when you need them.