LONDON (Reuters) – Insurers face potential multi-billion dollar claims for cyber attacks related to Russia’s invasion of Ukraine, despite policy wording designed to get them off the hook for war, industry sources say.
Following the Feb. 24 attack on Ukraine and Western sanctions against Moscow, the U.S. government said last week it had seen “preparatory” Russian hacking activity aimed at numerous U.S. companies, though it said it had “no certainty” such an attack would occur.
Western financial regulators have already warned banks of the risks of cyber attacks though none have been confirmed so far.
European and U.S. insurers, already facing mounting losses in the past year, have been driving up premiums due to the increased coverage cost and prevalence of so-called ransomware attacks.
If Russia carries out a large cyber attack which spills over into several countries, it could lead to claims totalling $20 billion or more, similar to insurance claims from a large U.S. hurricane, the industry sources said on condition of anonymity.
This comes as insurers also face losses related to the conflict in other business sectors such as aviation, which is seen as particularly exposed to the impact of what Russia calls a “special military operation” to disarm Ukraine.
Lloyd’s of London, one of the world’s biggest players in cyber and other commercial insurance policies, said last week that it faced “major” claims from the invasion.
Cyber insurance – whose market ratings agency Fitch says totalled over $2.7 billion in 2020 in the United States alone – covers a business for the repair of hacked networks, business interruption losses and also cyber ransom payments.
Such policies do not cover war, or attacks by so-called “state-sponsored actors”.
It is often hard, however, to identify the perpetrator of a cyber attack.
“Defining what is state-sponsored is quite challenging,” Lloyd’s of London chairman Bruce Carnegie-Brown told Reuters last week. “These policies get tested by new events and we need to work through the wording…and make sure our customers understand where they are covered and where they aren’t.”
Even if insurers can prove a cyber attack was a result of the conflict in Ukraine, war exclusions may not be enough to protect them.
Cyber insurers have become more aware of ambiguities in their insurance in recent years, but some are slower to adapt than others.
Policy wordings vary from insurer to insurer, and are open to interpretation, said Marcos Alvarez, head of insurance at ratings agency DBRS Morningstar.
This is expected to lead to disagreements between insurers and policyholders about whether or not there is coverage, similar to business interruption insurance cases which have gone to court across the world since the outbreak of COVID-19.
A particular grey area is over cyber terror attacks, which are generally covered by insurance.
Terror is typically more narrowly defined than war, but Westlaw, a Thomson Reuters company, said in a note last week that “cyber terrorism” is sometimes defined “quite broadly to include any attack against a computer system with the ‘intent to cause harm’ in furtherance of ‘social, ideological, religious, economic or political objectives'”.
Policyholders could end up being covered “quite expansively” by cyber or cyber terrorism policies, said Yosha DeLong, global head of cyber at insurer Mosaic.
“Any time there’s ambiguous wording on a policy, it’s to the client’s advantage, not the insurer’s.”
There is also a risk from “silent cyber”, in which businesses have other policies which do not specifically exclude cyber attacks, and may look to claim on those.
A New Jersey court ruled in January in favour of Merck & Co MRK.N over a $1.4 billion insurance claim for the 2017 NotPetya cyber attack, which the White House blamed on Russia.
To reduce their overall risk, some cyber insurers are considering broad exclusions for Russia and Ukraine, said Meredith Schnur, U.S. and Canada cyber brokerage leader at broker Marsh.
Military losses could lead to a different approach by Russia, including cyber attacks, analysts at Eurasia said.
Some Russian units suffering heavy losses had been forced to return home and to neighbouring Belarus, British military intelligence said this week, after Russia promised to scale down military operations around Kyiv.
Cyber attacks have taken place on Ukrainian critical infrastructure, government services, banks and telecoms, analytics firm CyberCube said in a report earlier this month.
Russian government institutions and businesses are also being targeted by cyber attackers, CyberCube said, adding that some attacks have spilled over into Belarus, Poland, Lithuania and Latvia.
The invasion is also adding to pressure on cyber insurance premiums, with rates rising sharply due to ransomeware attacks where hackers encrypt victims’ data and demand a ransom to release it.
Cyber security firm Coveware likened the 90%-plus profit margin from ransomware attacks last year to the gains Colombian cocaine cartels made in 1992.
Cyber insurance rates rose by 130% in the United States and by 92% in Britain in the fourth quarter, according to Marsh.
Industry sources see similar rate rises this year.
Rate rises already vary wildly, one consultant said, giving an example of a small business in Britain which had seen its annual cyber insurance premium leap to 450,000 pounds ($590,940.00) from 80,000 pounds.
“Everyone’s prices have gone up, now they will go up even more,” the consultant said. “Ukraine and Russia are just putting more stress on premiums and availability.”