Cyber insurance is not a particularly novel product. You pay a premium, suffer harm and then expect some reasonable form of assistance or compensation. The industry has also been around for a while, dating back to the late 1990s. But some issues make the cyber insurance industry different:

1. On account of rapid cybersecurity changes, the impacts are less predictable and change fast.
2. Governmental differences (e.g., legal requirements to carry insurance, who underwrites for different threats, etc.).
3. A blending of all things technology, business, geopolitical and socio-economic into today’s interconnected world.

These reasons make a recent seven-year legal case — stemming from a ransomware attack and focused on war exclusions — important to track.

The gray zone

The Merck insurance case was closely watched and ended through settlement. That means some future uncertainty on legal precedent still exists, though the appellate court ruled the carrier, in this case, would not be able to deny coverage based on the “war exclusions” in the policy.

So, what does the future likely hold? Carriers will likely tighten their language. The first signs of language tightening, specifically for war exclusions, began in 2022. Adjusting claims for business impact, along with recovery and restoration efforts, is hard enough as it is — meaning that if carriers can reduce their own risk and liability caused by the uncertainties of war, and more specifically, cyber-related war acts, they will. Even other cases have caused confusion about war exclusion clauses.

For insurance purchasers, having a good understanding of their cyber risk profile is paramount. Evaluating purchase options, response services, financial limits, waiting periods and aligning with industry requirements are all great things, but if the organization is a likely target of some larger geopolitical event, there is also a good possibility of being caught up in some exclusion clause.

An organization should consider how a war exclusion scenario could impact them, specifically in the context of evaluating the costs of a data breach. If they do not, they may be out of luck when they seek assistance.

Definitions and scope

The nature of “cyber war” is cloudy at best. Where does it begin and end? What constitutes a declaration? What is considered an act of war? Who is part of the theater? Traditionally, a declaration by a nation’s leader or legislative body or deliberate act, such as invasion, kinetic attack or bombing, provided a clear, bright marker that the “war exclusion” clauses are in effect.

Cyber scenarios are not that clear because definitions and boundaries are so hard to solidify. Moreover, the use of cyber techniques and tools within the greater context of war remains undefined.

Here is a perfect example: What is the difference between Computer Network Exploitation (CNE) and Computer Network Attack (CNA)? Can you conduct a CNA without first performing CNE? Where is the transition point?

Therein is the challenge. We have difficulty understanding downstream impacts, definitions and responsibilities because the upstream “trigger point” has not been defined. And we have not even begun to discuss malicious actors. If the attack is performed by a malicious group sympathetic or aligned to a hostile nation, does that constitute an act of war? All part of the gray zone.

Near-term solutions and considerations

Do not expect an easy “fix-all” solution. The industry — and the world — is changing far too fast. However, there are steps you can take to bolster your resilience and increase the likelihood of receiving assistance:

1. Know policy limits, restrictions and exclusions. Ask questions. Use scenarios to get a better understanding. The same goes for brokers and carriers: explain to purchasers when coverage would and would not apply. Do not gloss over any changes; read them carefully.
2. Be mindful of how your industry connects to the larger geopolitical space. For example, the critical infrastructure industry could be considered a legitimate wartime target. Stay on top of your industry-specific and regulatory requirements. Meeting requirements bolsters your diligence case.
3. Stating the obvious: regularly protect data and infrastructure. In 2023, data breach costs ticked upwards but also saw average savings increase when investment in AI and automation tools were used. Minimize the blast radius to reduce dependence on assistance.

In conclusion, we live in a world of increasingly greater uncertainty and must grapple with imprecise definitions. This is not a reason to be scared or worried but rather to be prepared and seek clarity.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.