Cyber War, Undefined By Military, Rationalized By Insurers

Cyber Insurance do not insure against Cyberattacks (?)

Over the last year, the cyber-insurance market has been seriously shaken. After almost two years of ransomware epidemics, 416M$ in 2020 and 590M$ for only the first six months of 2021 have been payed in ransom according to the US Treasury.  Cyber Insurers had to reshape their protection policy and double or triple the cost of their premium with the threat of contract termination.

In the past few months, in addition to strong limitation of ransomware attacks coverage, Lloyd’s of London made the headlines by adding to its exclusion clauses four cases regarding Cyber War and Cyber Operation.

But what is a “cyber war” or a “cyber operation”? Does a state-sponsored cyberespionage campaign fall into those categories? Would a data leak performed by a hacktivist be considered as an act of terror? At one point we can even ask ourselves : what does a cyber-insurance really cover ?

War. Beyond movies, series, books, war is first and foremost defined by law. “The rules of engagement”, jus in bello. It defines what a war is, how you can rightfully start one, what you are allowed to do during operation. It is now settled in the International Humanitarian Law (IHL), also referred to as the Laws of Armed Conflict. And cyber is not included in them.

Military and Defense observers always seem reluctant to use terms such as “cyber war”, “cyber conflict” or “cyber terror”.

“Cyber war has never happened in the past, [that] cyber war does not take place in the present, and [that] it is unlikely that cyber war will occur in the future”

Thomas Rid, Journal of Strategic Studies, Volume 35, 2012.

But some disagree, sometimes for philosophical reasons, and sometimes, for other interests.

NotPetya 2017 attacks and Insurance Exclusion

You may recall this gigantic wiper malware attack in 2017, dubbed NotPetya. This cyber attack, disguised as a ransomware operation, was in fact a sabotage operation performed by the hacker group Telebots/GreyEnergy.

One striking example was then the Mondelez case. Hit by approximatively $100 millions of remediation costs, their Insurer (Zurich Insurance) cited the “war exclusion” to avoid paying the Policy.

Collateral damage of cyberattacks on civilian population

Nation-state and Terrorist cyber operations have always been a tricky area for Cyber Insurance. The systemic feature of cyber makes those risks harder to quantify and thus, to make sustainable actuarial arbitration on them. An attack performed by a state or terrorists that hits critical infrastructures can indirectly affect corporations and civilians.

Some Military and Defense Observers may object that cyber war is a buzzword used by lousy politicians and fear-based moneymakers, but some cyber operations do affect populations just as a war does. The Red Cross, for example, did extensive research and documentation about the potential human cost of cyber operations. From their perspective, the International Humanitarian Law does apply in cyberspace, opening the logical following discussion about the concept of cyber war.

Cyber Attack Attribution: a tool, or a weapon?

The difficult exercise of cyber-attack attribution is well-known by specialists. The fog of the matrix lets only very few institutions in the world capable of building a strong attribution backed by solid evidence. Cyber attack attribution is first a political matter, before a technical one. And these evidence might be either too secret to be disclosed or too complex to be understood by the general public. The validity of the attribution may just be resumed to this: how much do you (want to) trust the one making it? Without attribution, to a State or to a backed mercenary group, the qualification of “Cyber War” is out of reach.

This shadowy condition leads to another trust issue. When an insurer invokes the “war exclusion” clause for a cyber-attack, based on political attribution, the question about their underlying motivation will necessarily arise. A cynical interpretation could be that the insurer wants to cut all risky operations, when people really need them, to preserve their margin on unnecessary products and coverage.

Insurers have greater purposes than just making money

The concept of Insurance as “Mutual Rescue” has existed since the first commercial exchanges by the Babylonians, the Chinese and the Indians. It then expanded with the “bottomry loan” when the Greeks and the Romans loaned money from banks and if their adventure failed, they didn’t have to pay it back.

Insurers have always played a role in the search of protection, by civil population or merchants. Nowadays, with corporations redefining or signalling their “social purpose” or “raison d’être”, insurance companies may be wise to think twice about their role in our society that is pervasively cyber.

2022 may be the year where they enforce too many limitations in their offer, up to the point where people might lose the understanding of their purpose and stop tolerating pricy coverage that does not appear to keep their company secure. Or the year where they remodel their underwriting and mindset to address the real risks of the 21st century.