Analysts are warning that spill over from the Russian invasion of Ukraine is resulting in a new cyber war
By Lauren Ingram
Cyber has been a hot topic in the insurance and captive insurance world for some time now. For years premiums have been rising in the commercial market and capacity decreasing, putting pressure on organisations.
The scale of the problem was revealed in Aon’s Q4 2021 Global Markets Insight Report which showed that cyber premiums rose by 30% in the last quarter of the year alone. Aon also found, through its Global Risk Management Survey, that cyber was the top risk in 2021 and that there had been a dramatic 400% increase in ransomware attacks between Q1 2018 and Q4 2020.
Ironically Aon itself suffered a cyber-attack in February 2022.
According to Scott Connarty, general counsel at Adarma, this increase in ransomware attacks is one of the main reasons cyber premiums are increasing and cyber capacity decreasing.
“The increase in frequency and severity of ransomware attacks on businesses in the last couple of years has resulted in a significant tightening of the cyber insurance market,” Connarty said. “Cyber insurance premiums have increased markedly and the extent and level of cyber insurance coverage has decreased.
“Insurers have also changed tact and will only provide coverage to businesses who maintain a certain level of cyber security sophistication within their organisations. With cyber insurance no longer sufficiently protective or affordable in many cases, the most important risk mitigation exercise for companies in 2022 should be improving cyber security resilience and governance.”
Situations like this, with rapidly rising premiums, usually mean that more organisations look to a captive to transfer their risk to. With cyber, this has most definitely been the case—there was an increase in premiums being underwritten with captives for cyber risks rising from 16% in 2019 to 31% in 2021.
Along with rising premiums in the constrained commercial marketplace, the uptick in using captives is undoubtedly due to heightened awareness of cyber risk throughout the coronavirus pandemic. In contrast, cyber was identified as only the sixth biggest risk in Aon’s 2019 survey, with participants expecting it to rise to the third top risk in future.
And now there is another issue that is complicating cyber cover—the rise in politically motivated cyberattacks and ransomware attacks by Russian hackers because of the Russian-Ukrainian war.
A new type of war
According to Fitch Ratings cyberattacks on both government and corporate organisations have increased following Russia’s invasion of Ukraine
“Cyberattacks on businesses and government agencies have increased following the Russian invasion of Ukraine, with the risk of spillover cyberattacks against non-primary targets becoming much more widespread,” a report from Fitch said. “Potential targets include critical infrastructure such as financial services, governments and utilities.”
Sridhar Manyem, director of industry research and analytics at AM Best, said that this situation is unusual and a ‘cyber war’ of this kind hasn’t been seen in history before.
“This is probably the first true war being fought in a pretty active cyber environment,” she explained. “There are a lot of activists from both sides of Ukraine and Russia trying to engage in this cyber warfare. Therefore, threats have escalated in an already active environment.”
A report from CyberCube, a cybersecurity firm, found that since the start of the conflict both countries have been actively recruiting hackers to engage in cyberwarfare. There are more than 20 hacker groups openly working for Ukraine and nine for Russia according to the firm’s report.
Because of this, and the already low level of capacity for cyber risk in the market, Connarty said that a potential cyberwar would make it more difficult to get either insurance or reinsurance.
“There’s not enough coverage, there’s not enough reinsurance in the market and the profits are going down because people are getting hit by significant ransomware attacks,” he said. “So [the insurers] need to know that who they’re insuring is actually better prepared for a ransomware event or security incident. And historically, that never really done these checks and now they’re having to because the prevalence is just through the roof.”
The prevalence of ransomware is already so high. Then you bring in something like the Russia-Ukraine situation into it, just the massive uptick in ransomware incidents that we’ve seen as a result of that, when you blend that into a market that’s already had supply chain issues in terms of suppliers being targeted by ransomware attackers and there’s just there’s so many possible entries for attack.
“There’s so many attacks actually happening that the question is, is it worthwhile for insurers to actually insure against something that seems to be almost inevitable for most companies these days.”
Cyber risk, war risk or political risk?
So, if an organisation is the victim of a ransomware or cyber attack by Russian hackers, as a form of war, what would the attack be classified as: cyber risk or war risk?
The problem with it being classified as a war risk, according to Connarty, is that it can be very difficult to determine where a cyberattack as come from and thus prove it was an act of war.
“I’ve been involved in companies that have been ransomed before, and we’ve relied upon our insurers to care [about the attack] and the circumstances. But inevitably, what you normally find in a ransomware attack is that you don’t really ever find the entry vector,” he explained.
“They cover their tracks when they get in, and you will rarely figure out how it happened and who did it. So whether or not a war exclusion clause would apply, it comes down to how could the insurers say that’s absolutely an act of war.”
However there is another possibility: is it actually a political risk? RiskBusiness thinks so.
A report from the international governance, risk, audit and compliance solution provider gave examples of two different definitions of political risk.
It can be defined as either “a particular exposure to risk which depends on the actions of a government” or “the likelihood that political forces will cause drastic changes in a country’s business environment that adversely affect the profit and other goals of a particular business enterprise”.
RiskBusiness’ CEO, Mike Finlay, told Captive Review that a lot of the time policy wording and definitions, especially when it comes to political risk, are extremely important.
“One of the key driving factors that you’ve got to think about is when your audience make use of the definition [for political risk], how are they going to interpret it?” he said. “You’ve got to be pretty clear and put nice boundaries in place.”
The RiskBusiness report included examples of recent loss and potential loss events that could be considered a result of political risk caused by the Russian invasion of Ukraine. These included BP divesting its holdings in a Russian oil company, Roman Abramovich ceding management of Chelsea Football Club, western countries ejecting Russian banks from the Swift payment system, and even the UK company Comparethemarket pulling a series of long-running ads featuring an animated Russian meerkat.
“In short, the impact of this political risk even is being felt both globally and locally in a wide range of risk categories. There is little doubt that as the situation continues to unfold, the types of loss events will continue to unfold,” the RiskBusiness report stated.
Can captives help?
The question then is: can a captive help with cyber, war or political cover in a cyberwar situation, and if policy wordings need to be adjusted to ensure coverage continues.
And how quickly could a captive put a new line into their captive in a fast-moving situation like this? Kevin Doherty from Dickenson Wright said that for multinationals—who are the companies most likely to be impacted by cyberattacks from the Ukrainian-Russian war—have a couple of things to consider.
“If you are a multinational, you have to determine that most multinationals have more than one captive,” he explained. “And a lot of times, the most efficient way to work with your captives is on a regional basis.
“The first thing you have to determine which captives do we put this risk in? And it’s possible they only have one. But my experience with the very large companies, they have usually two or three, maybe four captives throughout the world.”
One determining what captive to put a risk in, Doherty said that in theory new policies could be written immediately.
“In theory, you could write policy immediately. You know, each year you have to look at the regulations, whether or not you need for it to be determined to be insurance. You can’t put a policy in place and call it insurance if you’re talking about known losses. That’s not insurance.
“But you can do it certainly going forward. And I think companies are doing that. Multinationals tend to only put policies in place at renewal, but this this might be different. I don’t think there’s anything stopping them from putting a policy in place immediately.”