As the extent of the territorial invasion by Russia on Ukraine, now underway, is still in question, anecdotal evidence suggests that cyberattacks are already being used to destabilize Ukranian entities, with a heightened risk of attacks spreading to organizations located outside of the conflict zone.
On February 12, the Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” risk declaration in response to the tensions between Russia and Ukraine. The alert highlighted several cybersecurity vulnerabilities that nation-state and cybercriminal actors may leverage and outlined steps organizations can take to reduce the likelihood of a damaging cybersecurity intrusion and ensure the organization is prepared to respond if such an intrusion occurs.
Further, just last week, the FBI and Department of Homeland Security warned government agencies, cybersecurity personnel and operators of critical infrastructure of the possibility of cyber-attacks against Ukrainian and U.S. Networks and to immediately report any suspicious activity.
Most recently, on February 20, an FBI report called on the U.S. private sector to be prepared for potential state-sponsored cyber-attacks to be launched by Russia. The report said that Russian actors "have used spear phishing and brute force cyber network attacks, while exploiting known vulnerabilities against accounts and networks with weak security." The report went on to specify that a variety of U.S. and international critical infrastructure, including entities in the Defense Industrial Base, Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors have been targeted. In fact, it has been reported that several Ukrainian government websites were offline on February 23 as a result of a mass distributed denial of service (DDoS) attack and that a number of banks were impacted. Although the source of the attack has not been confirmed, Russia is suspected. This comes on the heals of a reported attack last week that took down four government websites. Russia did deny responsibility for this attack.
Despite significant uncertainty on how the situation may evolve, organizations should be aware that they may be the indirect victim of cyber-attacks or malware may spread far beyond the geographical or organizational boundaries intended. Russia’s offensive cyber capabilities are high and potential attacks may include zero-day vulnerabilities or highly sophisticated attack methods. In particular, destructive malware (such as the Non Petya which irretrievably encrypted data) and technology supply chain attacks (such as the Solarwinds incident) can cause significant financial, operational and reputational impacts to organizations. To address the key risks posed by this enhanced threat environment, we recommend organizations focus on the following cyber risk management priorities:
Most, if not all, cyber insurance policies contain a war exclusion of some description. Given the current situation, it is natural that organizations will want to understand how their cyber policy will likely respond in the event of a loss caused by a cyberattack alleged to have been deployed by or on behalf of the Russian state.
While it is not possible to offer a direct answer to that question because the language in war exclusions can vary and the interpretation of such exclusions is subject to the applicable law of the contract, what can be said is that, where there is any suggestion that the Russian state was in some way behind a cyberattack leading to any loss under a cyber policy, the insurer of that policy will almost certainly take a very careful look at the potential application of the war exclusion.
Securing an insurer’s agreement to remove the war exclusion from a cyber policy is very unlikely for a number of reasons, including concerns about systemic loss associated with war. There are, however, several important considerations that should be taken into account when assessing the potential scope of a war exclusion:
Clients are advised to work with their broker to review their cyber insurance policy and discuss potential coverage options. The FINEX Cyber Risk Solutions Team can provide organizations with tailored consulting services designed to align cyber risk management with business objective and deliver cost-effective cyber risk resilience.
Willis Towers Watson offers insurance-related services through its appropriately licensed and authorized companies in each country in which Willis Towers Watson operates. For further authorization and regulatory details about our Willis Towers Watson legal entities, operating in your country, please refer to our Willis Towers Watson website. It is a regulatory requirement for us to consider our local licensing requirements.