Skip to main content
Article

Crisis in Ukraine: Cybersecurity risks and cyberinsurance implications

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

By Jason Krauss , Dominic Keller, CISSP and Andrew Hill | February 24, 2022

The current situation between Russia and Ukraine has created a heightened risk of cyberattacks spreading to organizations outside of the conflict zone.

As the extent of the territorial invasion by Russia on Ukraine, now underway, is still in question, anecdotal evidence suggests that cyberattacks are already being used to destabilize Ukranian entities, with a heightened risk of attacks spreading to organizations located outside of the conflict zone.

On February 12, the Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” risk declaration in response to the tensions between Russia and Ukraine. The alert highlighted several cybersecurity vulnerabilities that nation-state and cybercriminal actors may leverage and outlined steps organizations can take to reduce the likelihood of a damaging cybersecurity intrusion and ensure the organization is prepared to respond if such an intrusion occurs.

Further, just last week, the FBI and Department of Homeland Security warned government agencies, cybersecurity personnel and operators of critical infrastructure of the possibility of cyber-attacks against Ukrainian and U.S. Networks and to immediately report any suspicious activity.

Most recently, on February 20, an FBI report called on the U.S. private sector to be prepared for potential state-sponsored cyber-attacks to be launched by Russia. The report said that Russian actors "have used spear phishing and brute force cyber network attacks, while exploiting known vulnerabilities against accounts and networks with weak security." The report went on to specify that a variety of U.S. and international critical infrastructure, including entities in the Defense Industrial Base, Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors have been targeted. In fact, it has been reported that several Ukrainian government websites were offline on February 23 as a result of a mass distributed denial of service (DDoS) attack and that a number of banks were impacted. Although the source of the attack has not been confirmed, Russia is suspected. This comes on the heals of a reported attack last week that took down four government websites. Russia did deny responsibility for this attack.

What should you do

Despite significant uncertainty on how the situation may evolve, organizations should be aware that they may be the indirect victim of cyber-attacks or malware may spread far beyond the geographical or organizational boundaries intended. Russia’s offensive cyber capabilities are high and potential attacks may include zero-day vulnerabilities or highly sophisticated attack methods. In particular, destructive malware (such as the Non Petya which irretrievably encrypted data) and technology supply chain attacks (such as the Solarwinds incident) can cause significant financial, operational and reputational impacts to organizations. To address the key risks posed by this enhanced threat environment, we recommend organizations focus on the following cyber risk management priorities:

  • Employee awareness: Spear phishing techniques are a common method in which an attacker gains access to an organization’s network and can launch cyber-attacks. Employees should be advised to be on heightened alert for suspicious emails (especially those appearing to require urgent action) and not to click on any external links within emails unless they are verified to be authentic.
  • Data and system backup strategy: Organizations should review their backup management strategy to ensure that critical assets and systems can be restored in accordance with defined business requirements.
  • Critical asset and privileged account management: Once identified, critical assets and privileged access should be protected with higher levels of authentication and access requirements. Limiting privileged account access to only business critical needs, alongside active management of domain administrator and service accounts, will reduce the risk of a cyber incident escalating and spreading across organizational systems.
  • Technology supply chain management: Numerous recent cyber-attacks have targeted technology service providers, greatly increasing the impact of a cyber incident across multiple organizations. Awareness of critical 3rd party technology providers and understanding of their impact on critical business functions will provide organizations with greater capability to effectively respond to an incident involving these providers.
  • Detection, event management and incident response strategy: Ensuring effective incident detection, management and response can greatly decrease the operational impact of a cyber incident.

Insurance implications and considerations

Most, if not all, cyber insurance policies contain a war exclusion of some description. Given the current situation, it is natural that organizations will want to understand how their cyber policy will likely respond in the event of a loss caused by a cyberattack alleged to have been deployed by or on behalf of the Russian state.

While it is not possible to offer a direct answer to that question because the language in war exclusions can vary and the interpretation of such exclusions is subject to the applicable law of the contract, what can be said is that, where there is any suggestion that the Russian state was in some way behind a cyberattack leading to any loss under a cyber policy, the insurer of that policy will almost certainly take a very careful look at the potential application of the war exclusion.

Securing an insurer’s agreement to remove the war exclusion from a cyber policy is very unlikely for a number of reasons, including concerns about systemic loss associated with war. There are, however, several important considerations that should be taken into account when assessing the potential scope of a war exclusion:

  1. War and more?: War exclusions citing events beyond ‘war’ that do not necessarily suggest armed combat (for example ‘hostilities’ or ‘the imposition of sanctions’) might, it could be argued, be broader in scope than war exclusions that only reference what might be described as armed combat (e.g. ‘military force’ or ‘invasion’). The events listed in the war exclusion require careful consideration.
  2. Causation: The lead in causation language used in war exclusions could materially impact how they are applied. While terms such as ‘arising from’, ‘in any way involving’ or ‘directly or indirectly caused by’, will be interpreted differently from one jurisdiction to the next, any language addressing the casual link between the events described in the exclusion and the loss should be considered carefully. For example, the phrase ‘directly or indirectly caused by’ depending on the jurisdiction, could be construed as only requiring a limited causal connection. Language connoting direct causation only arguably limits the potential application of the exclusion (subject always to the applicable law).
  3. Cyber terrorism carve back: War exclusions in cyber policies will, on occasions, include a carve back for ‘cyber terrorism’. Definitions of what amounts to ‘cyber terrorism’ do vary, but, generally speaking, the coverage is limited to cyberattacks deployed by individuals or groups with particular ideological goals rather than by or on behalf of nation states. Naturally, establishing whether a cyberattack is part of a wider war effort or pursuant to terrorist activities requires an assessment on attribution. Careful consideration is required, in terms of establishing those events falling within the war exclusion and those falling within the meaning of ‘cyber terrorism’.

Clients are advised to work with their broker to review their cyber insurance policy and discuss potential coverage options. The FINEX Cyber Risk Solutions Team can provide organizations with tailored consulting services designed to align cyber risk management with business objective and deliver cost-effective cyber risk resilience.

Disclaimer

Willis Towers Watson offers insurance-related services through its appropriately licensed and authorized companies in each country in which Willis Towers Watson operates. For further authorization and regulatory details about our Willis Towers Watson legal entities, operating in your country, please refer to our Willis Towers Watson website. It is a regulatory requirement for us to consider our local licensing requirements.

Authors

FINEX Cyber/E&O Thought and Product Coverage Leader, North America

Global Team Leader, Senior Consultant, FINEX Cyber Risk Solutions Team

Executive Director, Product Innovation Lead | Coverage Specialist, Cyber & TMT

Related Capabilities

Contact Us