Dive Brief:
- The Russian invasion of Ukraine will put significant pressure on the global cyber insurance market as malicious attacks by state-linked threat actors create risk for multinational companies, critical infrastructure providers and government targets with data loss and business disruption.
- Fitch Ratings said the Ukraine conflict will test the effectiveness of "war exclusion" and "hostile act exclusion" language. Contract language is under additional scrutiny following a recent court ruling in favor of Merck. The pharmaceutical giant won a major victory regarding $1.4 billion in cyber insurance claims stemming from the 2017 NotPetya attacks.
- The Ukraine conflict could place pressure on global supply chains and commodity prices, squeezing the insurance industry, according to a report from AM Best released last week. The conflict could raise the risk of a systemic cyberattack and lead to higher prices in an already hardened market.
Dive Insight:
The warnings come at a time when cyber is playing a high-profile role in the Ukrainian invasion. Russia has targeted Ukraine with malicious cyberattacks for years and threat actors have already unleashed data wiping malware against hundreds of targets.
U.S. officials have warned repeatedly in recent weeks about the threat of Russia-linked actors targeting private industry and critical infrastructure providers with ransomware, malware or exploiting vulnerable systems.
The Ukraine invasion will not necessarily cause a spike in new claims, but not every claim will turn out the same, according to Jim Auden, managing director and head of US P&C Insurance at Fitch Ratings. He said insurance providers should operate under the assumption there is little protection to work with.
"To what degree cyber premiums will increase is still too early to tell," Auden said via email. "We may have more clarity in the coming weeks, though a sharp increase is not out of the realm."
Companies are already tightening internal cybersecurity policies to reduce risk, Auden said.
Fred Eslami, associate director at credit rating agency AM Best, said this may be the first major conflict where activist hackers are actively using cyber to disrupt the war effort by targeting Russian government and industrial sites.
"As for coverage, however, there is something of a gray area as evidenced by the protracted court cases in the NotPetya attack aftermath, so there could be different interpretations if these activists are considered state actors or otherwise," Eslami said via email.
Even before the Ukraine crisis led to a full scale invasion, cyber insurance issuers were under pressure to raise premiums and tighten underwriting criteria. Insurers have had to respond to a wave of ransomware and supply chain attacks against private industry and critical infrastructure providers in the U.S. and other countries.
"Regardless of the crisis in Ukraine, companies of all sizes will likely be seeing higher premiums and stricter underwriting this renewal season," said Annmarie Giblin, a partner at Hinshaw & Culbertson LLP.
The changes were not only related to higher cybersecurity risks due to COVID-19, the Ukraine conflict and other risk factors, Giblin said. There are also changing "reasonableness" standards of what an effective cybersecurity risk management program should include.
Prior to the Ukraine invasion, cyber risk has been one of the most important concerns for the European insurance industry as well.
"As attacks on financial institutions increased over time, [now] it is increasingly important that the industry intensively puts its focus on the management of cyber risk," a spokesperson for the European Insurance and Occupational Pensions Authority said via email.
Late last year, Lloyd's slashed cyber insurance coverage for state-sponsored attacks, however it remains unclear how that will impact the U.S. market given the Merck ruling.