The events currently occurring in Ukraine are devastating. Whether you are a descendant of Ukraine or Russia, or have friends, family, neighbors, or colleagues impacted, our hearts go out to you. At Graham our company vision is “to create a healthy, safe, and prosperous tomorrow”, and we all hope for this conflict to end peacefully and quickly.
With that being said, we wanted to address the widely reported recent Russian cyber-attacks that are being launched against several Ukrainian financial services firms, government websites and media outlets. While there are very few details about these attacks, the lack of transparency is particularly concerning because of Ukraine’s recent development as a major provider of critical information technology services. As a result, many have raised concerns about the potential for these types of attacks to spill over to other nations, specifically Ukrainian allies.
What we know…
Our interconnectedness and reliance on technology means the location of an initial target can be irrelevant, with attacks having the ability to spread globally and rapidly. The cyber element of this conflict could quickly and severely escalate, creating the potential for unprecedented cyber-physical impacts.
Following Russia’s air and land invasion of Ukraine on February 24th, 2022, the use of cyber-attacks as a part of the conflict has been prevalent.
Some of the types of attacks witnessed include:
- Distributed Denial of Service Attacks: Disabling websites for Ukraine’s defense and foreign ministries;
- Data Corruption and Wiper Malware with self-propagating capabilities: HermeticWiper designed to erase data from systems it encounters; and
- Misinformation Campaigns: Fake text messages saying ATMs do not work.
Furthermore, we have seen both Ukraine and Russia openly recruit a global volunteer cyber force to offensively attack their enemy’s IT systems and networks.
- The Hacking collective “Anonymous” has joined the fight alongside Ukraine; and
- The Ransomware group “Conti” has sided with Russia.
As of March 1st, 2022, there were at least 33 different cyber threat actor groups actively assisting Ukraine or in favor of Russia.
Russian President Vladimir Putin has declared that all parties found to be inhibiting Russia’s war effort will be met with unprecedented military force. There is potential that companies within the United States, United Kingdom, European Union, and other Allied Nations that participate in levying sanctions or providing military support are at risk of experiencing retaliatory cyber-attacks.
How does this impact a Cyber Insurance Policy?
A Cyber Insurance Policy is intended to assist an organization with incident response, data restoration, business interruption and other expenses associated with a cyber-attack. It is important that policyholders be mindful of claim reporting requirements, obligations to use panel vendors, and other coverage issues in responding to an incident that may impact attorney-client privilege and the coverage limits afforded.
Most, if not all, cyber insurance policies include a war exclusion. There is no uniformity in the language utilized, but all maintain broad exclusions for claims “based upon”, “arising out of”, or “attributable to” war, whether declared or not. It is difficult to predict how these exclusions will apply to a future attack given current events. A carrier’s analysis of a claim and the applicability of the war exclusion will be very fact dependent. Cyber carriers will be required to evaluate coverage in the context of constantly evolving sanctions and with the added challenge of a widely distributed and anonymous threat landscape that makes attribution and establishment of responsibility for a cyber-attack difficult, if not impossible.
A recent decision regarding coverage under a property policy for the NotPetya attack may shed some light on how courts would approach this issue, but it also demonstrates how important the policy language will be in determining whether the war exclusion applies. In Merck & Co., Inc. et al v. ACE American Ins. Co., a New Jersey Court rejected the insurance carriers’ argument that the war exclusion of an all-risks property policy applied to losses sustained by the pharmaceutical firm as a result of the NotPetya malware deployed against Ukraine by Russia’s military intelligence agency. The Court held that the war exclusion did not apply because the language of the exclusion did not explicitly include cyber-attacks, and therefore, Merck had every right to expect that the exclusion would apply only to traditional forms of warfare.
How these exclusions will apply to cyber-attacks occurring during the Russia-Ukraine conflict remains to be seen. To be in the best position to prevent, mitigate and respond to potential attacks, we encourage you to review your incident response and/or disaster recovery plans to ensure they are up-to-date and that your organization is ready to implement should an attack occur. You should also work closely with your Graham Service Team to be aware of claims reporting requirements and any proactive efforts that can be made to prepare and prevent a cyber-attack on your network.
If you have questions about your cyber posture, we encourage you to talk with us about our newest cyber offering, GRAHAM CYBER BLUEPRINTSM. With Graham Cyber Blueprint, you can improve your cyber strategy and insurability as a result of completing a quick questionnaire that will help you identify areas for improvement and general recommendations for next steps to strengthen your organization's cybersecurity defenses. Fill out our Graham Cyber Blueprint questionnaire HERE.
Finally, in response to the Russia-Ukraine conflict, the United States Cybersecurity and Infrastructure Security Agency, known as CISA, has issued its Shields Up Advisory with guidance for strengthening cybersecurity posture in the face of the increasing cyber threat. Guidance is aimed at corporate leaders and includes advice to empower CISOs and senior leadership. Shields Up includes guidance for all organizations, recommendations for corporate leaders and CEOs, ransomware response, steps to take to protect yourself and your family, and additional technical resources.
You can read the full Shields Up Advisory Guidance HERE.