February 5, 2024 By George Platsis 3 min read

Cyber insurance is not a particularly novel product. You pay a premium, suffer harm and then expect some reasonable form of assistance or compensation. The industry has also been around for a while, dating back to the late 1990s. But some issues make the cyber insurance industry different:

  1. On account of rapid cybersecurity changes, the impacts are less predictable and change fast.
  2. Governmental differences (e.g., legal requirements to carry insurance, who underwrites for different threats, etc.).
  3. A blending of all things technology, business, geopolitical and socio-economic into today’s interconnected world.

These reasons make a recent seven-year legal case — stemming from a ransomware attack and focused on war exclusions — important to track.

The gray zone

The Merck insurance case was closely watched and ended through settlement. That means some future uncertainty on legal precedent still exists, though the appellate court ruled the carrier, in this case, would not be able to deny coverage based on the “war exclusions” in the policy.

So, what does the future likely hold? Carriers will likely tighten their language. The first signs of language tightening, specifically for war exclusions, began in 2022. Adjusting claims for business impact, along with recovery and restoration efforts, is hard enough as it is — meaning that if carriers can reduce their own risk and liability caused by the uncertainties of war, and more specifically, cyber-related war acts, they will. Even other cases have caused confusion about war exclusion clauses.

For insurance purchasers, having a good understanding of their cyber risk profile is paramount. Evaluating purchase options, response services, financial limits, waiting periods and aligning with industry requirements are all great things, but if the organization is a likely target of some larger geopolitical event, there is also a good possibility of being caught up in some exclusion clause.

An organization should consider how a war exclusion scenario could impact them, specifically in the context of evaluating the costs of a data breach. If they do not, they may be out of luck when they seek assistance.

Definitions and scope

The nature of “cyber war” is cloudy at best. Where does it begin and end? What constitutes a declaration? What is considered an act of war? Who is part of the theater? Traditionally, a declaration by a nation’s leader or legislative body or deliberate act, such as invasion, kinetic attack or bombing, provided a clear, bright marker that the “war exclusion” clauses are in effect.

Cyber scenarios are not that clear because definitions and boundaries are so hard to solidify. Moreover, the use of cyber techniques and tools within the greater context of war remains undefined.

Here is a perfect example: What is the difference between Computer Network Exploitation (CNE) and Computer Network Attack (CNA)? Can you conduct a CNA without first performing CNE? Where is the transition point?

Therein is the challenge. We have difficulty understanding downstream impacts, definitions and responsibilities because the upstream “trigger point” has not been defined. And we have not even begun to discuss malicious actors. If the attack is performed by a malicious group sympathetic or aligned to a hostile nation, does that constitute an act of war? All part of the gray zone.

Near-term solutions and considerations

Do not expect an easy “fix-all” solution. The industry — and the world — is changing far too fast. However, there are steps you can take to bolster your resilience and increase the likelihood of receiving assistance:

  1. Know policy limits, restrictions and exclusions. Ask questions. Use scenarios to get a better understanding. The same goes for brokers and carriers: explain to purchasers when coverage would and would not apply. Do not gloss over any changes; read them carefully.
  2. Be mindful of how your industry connects to the larger geopolitical space. For example, the critical infrastructure industry could be considered a legitimate wartime target. Stay on top of your industry-specific and regulatory requirements. Meeting requirements bolsters your diligence case.
  3. Stating the obvious: regularly protect data and infrastructure. In 2023, data breach costs ticked upwards but also saw average savings increase when investment in AI and automation tools were used. Minimize the blast radius to reduce dependence on assistance.

In conclusion, we live in a world of increasingly greater uncertainty and must grapple with imprecise definitions. This is not a reason to be scared or worried but rather to be prepared and seek clarity.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Feds release urgent guidance for U.S. water sector

3 min read - The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions. The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response…

What to expect from the new National Cyber Director

4 min read - As cyber threats show no sign of slowing down in terms of sophistication and frequency, the role of the National Cyber Director (NCD) in the United States is becoming a cornerstone of the nation’s defense strategy. Inaugural NCD Chris Inglis set a high bar for the office during his tenure, steering the country through a gauntlet of cyber challenges. Now, as Harry Coker Jr. steps into this critical role, he faces a landscape that continues to evolve with new threats on…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today