informa
4 min read
article

Will Your Cyber-Insurance Premiums Protect You in Times of War?

Multiple cyber-insurance carriers have adopted act-of-war exclusions due to global political instability and are seeking to stretch the definition of war to deny coverage.

With the surge in cybercrime continuing to advance, companies are scrambling to protect themselves. What's more, the attacks are increasingly politically motivated, and government-related industries are finding themselves targeted among heightened global tensions. Geopolitical conflicts are expanding into the digital realm, and threats are coming from all angles.

Given the ubiquitous risks, the cyber-insurance industry is booming. Corporations are increasingly transferring the risk of cybercrime to the insurance industry. So, if a cyberattack does occur, a company won't have to cover the expenses out of pocket — be they in ransom form or through damages and losses.

And yet, despite the market growth, multiple cyber-insurance carriers have moved to adopt act-of-war exclusions due to global political instability. This means that your carrier could deny you coverage if your cybersecurity breach has international political implications. You might pay a ransom to restore your systems, but your cyber insurance won't necessarily have to cover it.

So, how will shifting global conflicts shape the future of the cyber-insurance industry, and how can you protect your organization?

Impact of the Russian-Ukrainian Conflict

Let's start with the elephant in the room: the Russian-Ukrainian conflict. While the political ramifications of the conflict don't need repeating here, there are a multitude of uncertainties regarding its impact on the cyber-insurance sector.

While act-of-war exclusions in insurance policies have been common since the Spanish Civil War, the language wasn't explicit regarding cyberattacks, which of course arose much later.

But now cyberattacks by state and non-state actors are causing hand-wringing across the insurance industry, which is seeking to protect itself from frequent, high cost payouts. Insurance companies are largely moving to rewrite your existing act-of-war clauses to make the language crystal clear that international cyber warfare is not covered.

But what exactly constitutes an act of war? Theoretically, to deny coverage, the cyberattack would have to be launched by official state actors. However, that can be very difficult to determine when you're talking about countries where the line between state and non-state actors is fuzzy at best. Non-state actors may be unofficially acting in collusion with government forces.

So, if Russian cybercriminals, harbored by the government, launch a cyberattack against your organization, are you covered? This is largely a gray area, but insurance companies are increasingly seeking to stretch the definition of war here to deny you coverage.

How to Secure Adequate Coverage

Due to the changing market and geopolitical situation, you need to be keenly aware of the exact kind of cyber-insurance coverage your organization requires. Your decisions should be dictated by the industry you're working in, the security risk, and how much you stand to lose in the event of an attack.

It's important to note that insurance providers are also being more stringent in their requirements for companies to even obtain cyber coverage in the first place. Carriers are increasingly requiring companies to practice good cyber hygiene and have rigid cybersecurity protocols in place before even offering a quote.

Once you have proper cybersecurity protocols in place, you should better qualify for adequate plans. However, remember that no two plans are alike or equally inclusive. When choosing a plan, be sure to look for any fine print regarding act-of-war and terrorism exclusions or those for other "hostile acts." Even when you've done everything right, your carrier can still attempt to deny you coverage under these loopholes.

For instance, after the pharmaceutical corporation Merck suffered millions in losses from Russian hackers, the company was denied payout by an arsenal of cyber-insurance providers. They collectively cited act-of-war exclusions. However, a judge ended up ruling in favor of the corporation, saying the clause only applied to armed conflict, and that insurers needed to expand the language to cover cyber warfare. So, know your plan and be prepared to advocate for yourself when making a claim.

The Future of Cyber Insurance

The insurance industry is learning from its past mistakes and getting a better handle on pricing cyber risk. As risk increases, you can expect that your premiums will also spike, all while your actual coverage decreases. In essence, corporations are paying more while getting less.

Again, it's not clear what constitutes an act of war today, but you can be sure that the definition will be ever expanding as insurance providers scramble to reduce their risk exposure.

The providers are paying attention — and you should be too.