There is “great concern” in the insurance marketplace about the potential for a “systemic” cyber attack following Russia’s invasion of Ukraine on February 24, 2022.

This is according to Rob Rosenzweig, senior vice president and national cyber risk practice leader at specialty broker Risk Strategies.

“The conflict between Russia and Ukraine is making the cyber landscape all the more volatile—and it wasn’t a pretty place to begin with,” Rosenzweig told Intelligentinsurer.com.

He added that he was urging all his clients to be on heightened alert. “We have seen, over the years, a lot of cyber crime emanate from that part of the world Eastern Europe, and whether it’s nation state-sponsored or not we expect that there will be increased activity.

“In terms of the insurance marketplace, there is great concern over the potential systemic impact if we were to see a nation state-sponsored attack that impacted an industry, or a section of the world.”

Rosenzweig urged re/insurers “to do everything they can to make sure that they have the right controls implemented” to protect themselves against such an attack. For example, he recommends that firms make sure that they frequently patch “zero day vulnerabilities”, which refers to an exposed part of a system or device that is known about but remains vulnerable to attack until a patch, or fix, is issued by the vendor and installed by the user.

Unknown territory

When it comes to cyber as an insurance line, Rosenzweig said that for the time being everyone is monitoring the situation very closely. He hasn’t seen any wholesale changes in underwriting strategy as a result of the Ukraine crisis, and he added that underwriters were already being fairly discerning in their qualitative analysis of insurance risk management controls before the invasion.

This is partly because of the rapid growth in digital network use over the past two years and the greater frequency and severity of cyber threats, and ransomware in particular.

“Policies have been fairly well buttoned up with war exclusion. That being said, if something were to happen we enter fairly uncharted territory. We haven’t had global conflict like this in decades, but this issue isn’t foreign to the insurance industry,” he said.

“It’s something we’ve had to grapple with, on more traditional lines of business such as property, if there was physical damage to cities or locations due to war or any sort of conflict of that nature. But this is the first time that cyber warfare has been in play as part of a global conflict.”

There have been large-scale cyber attacks on infrastructure before, such as the Colonial Pipeline ransomware attack in 2021, which caused fuel shortages in the US.

But true global cyber warfare remains unknown. How could insurance policy wordings or coverage change to accommodate this kind of threat?

“The challenge here is the ambiguity,” Rosenzweig said. “What do war and cyber warfare truly mean? With reference to some of the attacks we’ve seen over the last few years, it’s always a challenge with a cyber attack to attribute who was behind it.”

The top insurance priority is getting a business back up and running, and minimising the cost impact and the reputational impact of any loss, he said. Attribution comes somewhat secondary to that. But given the nature of how easy it is to disguise where an attack is emanating from, and criminals moving in territories that don’t have extradition treaties, attribution often doesn’t happen, he explained.

“Even if we are able to attribute an attack, what’s the difference between a nation state-sponsored group versus an actual declared war? That’s where the ambiguity comes into play and unfortunately I don’t know that we’ll know the answer until it happens.”

Rosenzweig drew a distinction between an incident such as Colonial Pipeline, “which certainly has a systemic impact” and cyber warfare. With the Pipeline attack “it was one organisation being expressly targeted, even if it was by a nation state-sponsored actor”, he explained.

“If we’re talking about what we would historically, traditionally, think about as war, we’re not necessarily in a situation where it’s one company or organisation being specifically targeted. But it could impact an entire part of the global economy and that’s really where the insurance industry is going to have challenges managing that systemic risk.”

There is precedent for such potential damage and global reach.

In 2017, the NotPetya malware attack on Ukraine spread far beyond the initial victim’s borders, hitting companies around the world. This is the type of threat we could see again, Rosenzweig confirmed.

But, he said, there has probably been a perception over the last five or 10 years among many businesses that they were an unlikely target for a nation state-sponsored threat actor.

“You might not expressly be the target but that doesn’t mean you’re not collateral damage. If we take the NotPetya example, Ukraine was the intended target, but many global businesses were brought to their knees—not because that threat group was expressly targeting them, but because they ended up being collateral damage.

“We have to change that way of thinking and realise that all companies are targets, especially when we’re dealing with a zero day vulnerability in technologies that are widely utilised by businesses of all sizes and across all industries; it’s indiscriminate.”

Growth in standalone cyber

Rosenzweig said that the industry as a whole has made a decent amount of progress on addressing the issue of silent cyber over the last few years. This is where potential cyber exposures can be found in traditional property and liability insurance policies, which may not implicitly include or exclude cyber risk; it is also referred to as non-affirmative cyber.

“We’ve seen a great deal of movement in having exclusionary language added to property policies, general liability policies, etc, to clarify the intent that they were never meant to cover any cyber threats,” he explained.

There is now a lot less ambiguity or potential for silent cyber to bleed into other lines of business, he said, adding that he expects even greater movement on this topic, “which increases the need for businesses to think about preparing a true standalone cyber policy to deal with data security and privacy threats”.

Standalone cyber policies are already a growth sector, and Rosenzweig thinks they will continue to be one.

“It’s been a challenging market over the last 18 to 24 months as there needed to be some corrective action because of where premiums were historically, and some of the breadth of coverage. The market is making good progress in getting back to a point where the industry as a whole feels better about being able to do this profitably.

“There’s been a lot of pain and friction for our clients in that process, but certainly there’s great awareness as to why these changes needed to happen.

“Once we have a bit more stability there I expect this to be a real growth area, because if not the top, it’s one of the top risks that all our clients, regardless of industry or size, are concerned about.

“It is keeping them up at night, insofar as what could bring their business to a grinding halt,” he concluded.