A ‘digital nuclear bomb’: the potential impact of the Russia-Ukraine conflict
Russia’s invasion of Ukraine has changed the landscape when it comes to cyber threats. A panel of experts at the Bermuda Risk Summit examined the implications of this for the world of risk transfer.
While many of the usual cyber attackers were otherwise engaged in physical combat in Ukraine, the moderator of the cyber discussion at the Bermuda Business Development Agency’s inaugural Bermuda Risk Summit, March 14–16, raised the question of how the 300-year-old insurance industry should adapt to cyber attacks as a tool of modern warfare.
Tracey Gibbons, head of QBE Re Bermuda, asked cyber experts how they assessed the potential for malicious activity as a result of Russia’s war on Ukraine.
Patrick Bousfield, senior broker, cyber, casualty and financial lines lead at Lockton Re, said: “Cyber is a soft attack. What we’re seeing right now is tragic, conventional war. So, in my opinion, and from the research we’ve been doing, it doesn’t seem to be having an impact in ransomware attacks, mainly because—if you study the ecology of ransomware—a lot of the bad actors are usually based in those two countries.”
That means the usual suspects of cyber attacks are “a little too busy to look for the profit motive”, he said. There are, however, other “threat actors” out there who will be trying to take advantage of the situation.
“How widespread could it be? It takes a fair amount of investment to make a very widespread impact, but you could see a ‘digital nuclear bomb’ going off in certain sectors, with oil and gas probably being the most likely,” he said.
Yosha DeLong, SVP and global head of cyber at Mosaic Insurance, stressed there is no “war arsenal hacking kit” that is ready and waiting to be used, but said she was concerned about cyber attacks that affect more people and organisations than their original intended target.
Another complexity with Russia, DeLong said, is that hackers who claim to be state-sponsored are not necessarily easy to control by their own government.
“There’s a larger-scale reality here and the war has really brought it to life: that cyber attacks can be used as a tool of warfare, and we have to consider that when we look at the modelling,” she said.
Gibbons noted that re/insurance treaties and contracts typically contain war exclusions, and asked how the standard cyber wording would respond to a series of small malicious cyber attacks, or one big systemic attack, such as to an electric grid.
DeLong said: “There are war exclusions on cyber policies and they do have a cyber terrorism clawback which, in some ways, nullifies them completely. Every carrier has a different policy with different wording, so it’s where the comma is, or where the ‘and’ is, that decides whether or not it is able to be invoked.
“That’s something we as a community are looking at right now.”
The problem is that the industry is using policies with war exclusions that can be traced back to property versions created a century ago, she added. Therefore, it needs to look “from scratch” at this issue to design something that is appropriate to the threats being faced “in this day and age”.
Defining the terms
Gibbons asked whether that meant cyber attacks as an instrument of war could mean potential losses for the industry.
Noel Pearman, SVP, cyber product line leader at AXA XL, said: “That’s a great question because the war exclusion is predicated on an assumption that we could define ‘war’.”
“It is exceedingly difficult to tell who is attacking and what their motives are. Cyber attackers are so sophisticated that they can even mimic the attacking styles of others to make it look as if another country or organisation is responsible for a cyber attack,” he explained.
“There are modifications coming into the market that will help,” Pearman added. “One of these could be: ‘We will not cover a cyber incident as a result of an attack which is in support of conventional, boots-on-the-ground warfare’.
“This clarifies exactly when an exclusion would or would not apply, and takes the terrorism piece out of it. That might help, but it’s going to be very difficult in the meantime.”
Gibbons asked whether NATO’s involvement in the conflict would increase the chance of a “zero-day attack”, referring to the term used to describe a computer software vulnerability that hackers can exploit to adversely affect programs, data, additional computers or a network.
Ari Chatterjee, chief underwriting officer of Envelop Risk, said the average “dwell time” in a network by nation state cyber attackers is between 180 days to a year. In the meantime, cyber experts are not seeing an increase in activity, and were not expecting to, he said.
By dwell time, Chatterjee meant the period between a hacker's penetration of an organisation’s computer systems and the point at which the organisation discovers the hacker is there.
Not much activity does not mean, however, that nothing is happening. “They’re probably already there in the systems,” Chatterjee added.
“If NATO became involved in the conflict, governments would, I hope, attribute any cyber attack to the actual perpetrator,” he said. As for other types of cyber attacks, a large-scale conflict would reduce numbers of ransomware attacks since such “bad actors” in Ukraine are now involved in defending their country.
For that reason, there has been a reduction in ransomware activity since the war began, he said.
On whether cyber attacks during the war would lead to losses for the re/insurance industry, Chatterjee said: “If you add up the limits, especially in the Fortune 500, the cost could very well be a $20–$40-billion loss, wiping out the market many times over.”
DeLong said her estimate was $40–$60 billion. “When we’re underwriting individual risks, we focus on their controls, and that’s going to insulate insurance portfolios from catastrophic events,” she said.
“You always underwrite with the assumption that somebody can get hit, that a nation state can get into almost anybody it wants to, but how are they going to recover and prevent that event from being catastrophic to their business?
“The insurance community has done a very good job of focusing on the controls in the last couple of years. That’s going to be key to preventing this particular event, if it did escalate, being ultimately catastrophic to the industry.”
Gibbons asked the speakers whether the largest event that could possibly hit the market may not be covered.
Bousfield said the re/insurance industry still has a “bricks-and-mortar mentality” in its coverages, even though the global economy is now digital.
“We’re stuck in a 300-year-old paradigm and think about risk as it is on a certain day and work out how much to charge and hope that, 365 days later, nothing will have changed,” he said.
“But as we know some of these threat actors, especially those mentioned, sit there for six months. So, if you wrote the risk on day one of those 180 days, that’s great, but if day one is right after those 180 days, then it’s not so great.”
Big solutions are the answer
“Reinsurance axioms of geographic diversity and segmentation have been challenged by a global peril.”
Patrick Bousfield, senior broker at Lockton Re (Bermuda), said that Bermuda is perfectly positioned to solve the coverage gap in cyber by providing bespoke, large solutions to a global marketplace.
Throughout the insurance value chain, there is an ocean of cyber demand, a swimming pool of insurance capacity, a hot tub of reinsurance capacity, and a shot glass of retro capacity.
The cyber re/insurance market has remained as a P&C industry talking point due in part to the continued push of digitisation in the global economy and the quixotic objective laid before a burgeoning cyber re/insurance market: to solve the insurance implications of Industrial revolution 4.0.
As an outbranch of a largely regulatory third party breach cover, the cyber re/insurance market has struggled to grow at the exponential rate of demand. Reinsurance carriers have attempted to keep pace with a rapidly evolving peril, with traditional, static solutions.
Reinsurance axioms of geographic diversity and segmentation have been challenged by a global peril with myriad common single points of failure.
The reinsurance value chain is predicated on spreading risk across disaggregated counterparties, but with large, pseudo all-risk cyber policies (with multiple heads of cover, both third and first party), traditional methods of risk transfer have been stunted.
Exponential growth in demand is hampered by admirable, but linear, increases in reinsurance/retro aggregate supply. This demand/supply gap has only been increased with the hardening of the original cyber market.
All is not lost: the reinsurance market has experienced similar contractions of appetite/capacity in the past. Insurance product diversification, reinsurance/retro solutions focused on exposure segmentation, industry segregation, and a pivot from aggregate products to claims/occurrence solutions are accessible pathways to success.