February 5, 2024 By George Platsis 3 min read

Cyber insurance is not a particularly novel product. You pay a premium, suffer harm and then expect some reasonable form of assistance or compensation. The industry has also been around for a while, dating back to the late 1990s. But some issues make the cyber insurance industry different:

  1. On account of rapid cybersecurity changes, the impacts are less predictable and change fast.
  2. Governmental differences (e.g., legal requirements to carry insurance, who underwrites for different threats, etc.).
  3. A blending of all things technology, business, geopolitical and socio-economic into today’s interconnected world.

These reasons make a recent seven-year legal case — stemming from a ransomware attack and focused on war exclusions — important to track.

The gray zone

The Merck insurance case was closely watched and ended through settlement. That means some future uncertainty on legal precedent still exists, though the appellate court ruled the carrier, in this case, would not be able to deny coverage based on the “war exclusions” in the policy.

So, what does the future likely hold? Carriers will likely tighten their language. The first signs of language tightening, specifically for war exclusions, began in 2022. Adjusting claims for business impact, along with recovery and restoration efforts, is hard enough as it is — meaning that if carriers can reduce their own risk and liability caused by the uncertainties of war, and more specifically, cyber-related war acts, they will. Even other cases have caused confusion about war exclusion clauses.

For insurance purchasers, having a good understanding of their cyber risk profile is paramount. Evaluating purchase options, response services, financial limits, waiting periods and aligning with industry requirements are all great things, but if the organization is a likely target of some larger geopolitical event, there is also a good possibility of being caught up in some exclusion clause.

An organization should consider how a war exclusion scenario could impact them, specifically in the context of evaluating the costs of a data breach. If they do not, they may be out of luck when they seek assistance.

Definitions and scope

The nature of “cyber war” is cloudy at best. Where does it begin and end? What constitutes a declaration? What is considered an act of war? Who is part of the theater? Traditionally, a declaration by a nation’s leader or legislative body or deliberate act, such as invasion, kinetic attack or bombing, provided a clear, bright marker that the “war exclusion” clauses are in effect.

Cyber scenarios are not that clear because definitions and boundaries are so hard to solidify. Moreover, the use of cyber techniques and tools within the greater context of war remains undefined.

Here is a perfect example: What is the difference between Computer Network Exploitation (CNE) and Computer Network Attack (CNA)? Can you conduct a CNA without first performing CNE? Where is the transition point?

Therein is the challenge. We have difficulty understanding downstream impacts, definitions and responsibilities because the upstream “trigger point” has not been defined. And we have not even begun to discuss malicious actors. If the attack is performed by a malicious group sympathetic or aligned to a hostile nation, does that constitute an act of war? All part of the gray zone.

Near-term solutions and considerations

Do not expect an easy “fix-all” solution. The industry — and the world — is changing far too fast. However, there are steps you can take to bolster your resilience and increase the likelihood of receiving assistance:

  1. Know policy limits, restrictions and exclusions. Ask questions. Use scenarios to get a better understanding. The same goes for brokers and carriers: explain to purchasers when coverage would and would not apply. Do not gloss over any changes; read them carefully.
  2. Be mindful of how your industry connects to the larger geopolitical space. For example, the critical infrastructure industry could be considered a legitimate wartime target. Stay on top of your industry-specific and regulatory requirements. Meeting requirements bolsters your diligence case.
  3. Stating the obvious: regularly protect data and infrastructure. In 2023, data breach costs ticked upwards but also saw average savings increase when investment in AI and automation tools were used. Minimize the blast radius to reduce dependence on assistance.

In conclusion, we live in a world of increasingly greater uncertainty and must grapple with imprecise definitions. This is not a reason to be scared or worried but rather to be prepared and seek clarity.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today