After Homeland Security issued a warning to critical infrastructure that it may be caught in the crossfire between the U.S. and Russia if conditions in Ukraine escalate — still a big if — U.S. enterprises have been left to evaluate what their exposure might be.
Insurers will be near the center of any risk strategy. They say clients might be overestimating the danger, underestimating the risk, and insufficiently clear on what their policies might provide in the event insurance becomes critically important.
Insurance is complicated at the best of times. Cyber insurance and the general policies often used to cover cyber events can get particularly confusing — even before adding in the threat of a disruptive nation-state. For companies concerned about what will be covered in the event of an aggressive play by Russia, the answer is an unsatisfying "it depends."
Most insurance carries an act of war clause. All-risk policies — the kinds not dedicated to cyber issues — traditionally carry language less tailored to cyber risk. In January, after four years of litigation, Merck won a lawsuit to force its insurance provider to pay over the NotPetya cyberattacks, for which the insurer claimed a cyberwar exemption.
The language for those exemptions is far more specific in cyber insurance, and those boundaries have never been tested.
"There hasn't been an act of war that has been implicated," said Catherine Lyle, head of claims for cyber-insurer Coalition.
Cyber insurers feel that the types of attacks at risk for the United States in the Ukraine affair would not likely trigger a cyber insurance act of war exemption.
There are multiple factors that insurers believe would lead to leniency. For an attack that is not intended to make a public statement — the kind that most insurers assume is in play — attribution can be very difficult. More than that, insurers do not assume the level of potential attacks would be worth damaging their relationships with partners.
"A good insurance company pays its claims, and I think outside of extraordinary circumstances, you try to do right by your customers, right by brokers and everyone else," said Mike McNerney, senior vice president of security at cyber insurer Resilience.
Insurers are not anticipating those extraordinary circumstances in this case.
The U.S. and Russia are a little ways away from cyber risk spilling over to the U.S. even being an option. DHS warns that may become a concern if the U.S. or NATO is forced to intercede with sanctions or military action. That would not happen unless Russia invades Ukraine. And even if both situations come to pass, targeting the United States is an escalatory move Russia may not want to pursue. As DHS notes in its warning, Russia has never used cyber-sabatoge against U.S. businesses as an option before, even if it is definitely an arrow in their quiver.
"Historically, Russia has used this against Ukraine before with NotPetya. We can go back to Ukraine in 2015, 2016, and 2017, when Russia shut down all ATMs and the ability to shop and do groceries," said Lyle. "Will that happen in the United States? No. But will corporations feel the brunt if our government uses sanctions and other elements against Russia? Quite possibly."
Lyle, and the insurance industry on the whole, is not anticipating Russia clearing out its stock of zero-days against United States businesses. But Russia still could increase discomfort in America, by launching opportunistic nuisance attacks or encouraging criminals to increase cybercrime in their sted.
If there is a threat, insurers are assuming it would operate with a similar sophistication and attack vectors as cybercrime. Enterprises, they say, could head off danger by locking down RDP, protecting identity, and basically taking the same advice that most people have offered to prevent ransomware. The United Kingdom's National Cyber Security Centre offered similar, familiar advice, telling Brits to patch systems, create backups and install multifactor identification.
"Companies should be doing this, but companies should be doing this anyway," she said.
When there is a specter of nation-state activity, it is easy to assume that it will cross the worst-case scenarios of cyberwar and create democracy-threatening infrastructural damage, McNerney is assuming the exact opposite if conflict with Russia progresses.
"I don't think they're going to do things that would cause the United States to escalate. Shutting off or damaging critical infrastructure — the United States would have to do something in response as a result. I don't think the Russians are going to go that far," he said.
McNerney said Resilience had not seen any increase in applications for policies they would attribute to tensions between the U.S. and Russia over Ukraine for his largely American clientele.
While there are certainly more alarmist views than the insurance community is currently advising clients, insurers are not viewing the threat as so negligible it should slip off people's radar entirely.
"People are thinking about conflict in terms of guns and bullets — as they should be — but not enough in terms of cyber."