Cyber insurance and cyber war

I already devoted some space  to cyber insurance. Since then, the situation evolved.

Oh no, cyber insurance

Cyber insurers have a big problem: it is unclear how to “assess” the risk. Some events might be especially tricky. This means a lot of risk to the insurers. They are, for example, concerned with the proliferation of cyberwarfare tools or the popularity of intelligence cyber operations. And don’t forget the fact that networks are connected, and should two States be engaged in war and at least one wanted to use cyberwarfare capabilities, such as a self-spreading worm (for example, let’s call such a hypothetical tool NotPetya), the risk of spreading to systems based in other countries is non-negligible. This can also happen on purpose. The Zurich Insurance vs Mondelez  court case  is a good example. It started in 2018 and is still ongoing in 2021. Also, a low-key court would be deciding whether some event was a war activity? Bizzare!


To “simplify” the matter insurers providing cyber insurance covers have an idea: excluding all “war-like” (“whether war be declared or not”) activities. Let’s look at this space.

Excluding war, cyber war, cyber operations

The LMA5564 defines provisions for “War, Cyber War and Cyber Operation Exclusion No. 1”. Sounds scary? It isn't. It stands for: “this insurance does not cover any loss, damage, liability, cost or expense of any kind (together “loss”) directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation”. Observation: it includes also peacetime cyber operations. That would be both: significant, and intelligence/reconnaissance.

How may a court/insurers know that something was a war or a state cyber operation? According to the exclusion this is simple: “primary but not exclusive factor in determining the attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf”.

Cyber attribution?

This means that the  trend of some governments attributing cyber responsibility to other states may soon have financial consequences locally in the country. The stakes of diplomatic or political decisions will grow. Domestically. In unobvious ways.  It may definitely impact on the willingness or unwillingness of States to use attribution tools. After all, their diplomatic “cyber deterrence” decisions could now have tangible financial consequences in their own countries (and who knows how this may or may not be used to either shoot in the foot, or not?).


There’s also a solution for countries that do not issue cyber attributions (like France, for example). In this case, insurers may do it on their own: “the insurer may rely upon an inference which is objectively reasonable as to the attribution of the cyber operation to another state or those acting on its behalf”. There’s more: “it shall be for the insurer to prove attribution”. Simple, right?


We would then have financial institutions issuing cyber attributions in an arbitrary manner. But are they really qualified to do this? There may be doubts about it. So a possibly available method would be to contract Big Security Tech company to analyse the attribution. But it is not always certain (hence the issuance has confidence levels), and may be costly. Here, I believe that the cost could be amortised if a single threat actor was responsible for many compromises/breaches. So yes, there are available options. It's just that the potential companies interested in "managing risk with cyber insurance" should be aware that depending on the exclusion in the contract, the decision may range from being perhaps informed to not-so-well-certain. It would be a range of confidence. Based on this range, the insurer would make a 1/0 binary, legal, decision.

Some cyber power states ...?

The “War, Cyber War and Cyber Operation Exclusion No. 2” is of special note. It goes much further to exclude also: “retaliatory cyber operations between any specified states;”.

What states? “Specified states means China, France, Germany, Japan, Russia, UK or USA”.

It is unclear why those States are chosen. But one thing is clear: at least four countries on the list have very significant cyberwarfare capabilities. It is likely that countries on the list are because of the powerful capabilities, and possible also due to the nature of companies/corporations that are perhaps prominent clients for “cyber insurance”.


Cyber insurance is a controversial tool. Recently insurers are steering clear from the risk aspect they were unable to properly assess. So the chosen solution is maybe to limit the coverage to “understandable” threats. We’ll see about that. Cyber insurance is also being blamed as the driver of being compromised/attacked (because it makes sense to aim at a company that will likely pay the ransom from its cyber insurance?).

Cyberattack as use of force

Last item to consider is whether a cyberattack may rise to the level of "war-like" activity. The simplest is to establish whether a cyber attack was the use of force in the meaning of United Nations Charter article 2(4) ("All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations."). It's a tricky issue. This was never assigned to as cyberattack. Yet, (let's say: if) it did happen - it was classified in this way, perhaps by competent people - just not in public. Which is understandable, too. So insurance companies would have a hard time in this case. It isn't clear whether what they would classify as "war-like" would indeed be as such.

Summary

Cyber insurance may complement a company's cybersecurity strategy. But by no means it should ever be the sole tool in use. It’s an interesting financial and technology policy tool/concept, but finding people who would be well-positioned to offer guidance in this area is tricky.

This requires a broad subject matter of cybersecurity (technology, likely policy, regulations, etc.), and legal. It’s difficult to find people proficient in all of that at the same time.