February 5, 2024 By George Platsis 3 min read

Cyber insurance is not a particularly novel product. You pay a premium, suffer harm and then expect some reasonable form of assistance or compensation. The industry has also been around for a while, dating back to the late 1990s. But some issues make the cyber insurance industry different:

  1. On account of rapid cybersecurity changes, the impacts are less predictable and change fast.
  2. Governmental differences (e.g., legal requirements to carry insurance, who underwrites for different threats, etc.).
  3. A blending of all things technology, business, geopolitical and socio-economic into today’s interconnected world.

These reasons make a recent seven-year legal case — stemming from a ransomware attack and focused on war exclusions — important to track.

The gray zone

The Merck insurance case was closely watched and ended through settlement. That means some future uncertainty on legal precedent still exists, though the appellate court ruled the carrier, in this case, would not be able to deny coverage based on the “war exclusions” in the policy.

So, what does the future likely hold? Carriers will likely tighten their language. The first signs of language tightening, specifically for war exclusions, began in 2022. Adjusting claims for business impact, along with recovery and restoration efforts, is hard enough as it is — meaning that if carriers can reduce their own risk and liability caused by the uncertainties of war, and more specifically, cyber-related war acts, they will. Even other cases have caused confusion about war exclusion clauses.

For insurance purchasers, having a good understanding of their cyber risk profile is paramount. Evaluating purchase options, response services, financial limits, waiting periods and aligning with industry requirements are all great things, but if the organization is a likely target of some larger geopolitical event, there is also a good possibility of being caught up in some exclusion clause.

An organization should consider how a war exclusion scenario could impact them, specifically in the context of evaluating the costs of a data breach. If they do not, they may be out of luck when they seek assistance.

Definitions and scope

The nature of “cyber war” is cloudy at best. Where does it begin and end? What constitutes a declaration? What is considered an act of war? Who is part of the theater? Traditionally, a declaration by a nation’s leader or legislative body or deliberate act, such as invasion, kinetic attack or bombing, provided a clear, bright marker that the “war exclusion” clauses are in effect.

Cyber scenarios are not that clear because definitions and boundaries are so hard to solidify. Moreover, the use of cyber techniques and tools within the greater context of war remains undefined.

Here is a perfect example: What is the difference between Computer Network Exploitation (CNE) and Computer Network Attack (CNA)? Can you conduct a CNA without first performing CNE? Where is the transition point?

Therein is the challenge. We have difficulty understanding downstream impacts, definitions and responsibilities because the upstream “trigger point” has not been defined. And we have not even begun to discuss malicious actors. If the attack is performed by a malicious group sympathetic or aligned to a hostile nation, does that constitute an act of war? All part of the gray zone.

Near-term solutions and considerations

Do not expect an easy “fix-all” solution. The industry — and the world — is changing far too fast. However, there are steps you can take to bolster your resilience and increase the likelihood of receiving assistance:

  1. Know policy limits, restrictions and exclusions. Ask questions. Use scenarios to get a better understanding. The same goes for brokers and carriers: explain to purchasers when coverage would and would not apply. Do not gloss over any changes; read them carefully.
  2. Be mindful of how your industry connects to the larger geopolitical space. For example, the critical infrastructure industry could be considered a legitimate wartime target. Stay on top of your industry-specific and regulatory requirements. Meeting requirements bolsters your diligence case.
  3. Stating the obvious: regularly protect data and infrastructure. In 2023, data breach costs ticked upwards but also saw average savings increase when investment in AI and automation tools were used. Minimize the blast radius to reduce dependence on assistance.

In conclusion, we live in a world of increasingly greater uncertainty and must grapple with imprecise definitions. This is not a reason to be scared or worried but rather to be prepared and seek clarity.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

The rising threat of cyberattacks in the restaurant industry

2 min read - The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward. Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver's…

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today