Cybercrime and cyberespionage activity continue to proliferate against all industries and sectors inflicting financial and material damage on targeted networks.  Cyber insurance has assisted in mitigating the impacts of cyber malfeasance, offsetting costs associated with recovering from cyber attacks.  A Government Accountability Office report found that the increasing severity and frequency of cyberattacks led more organizations to seek cyber coverage, which has been increasing in price as the volume of attacks continue to escalate regardless of the motivation and intent of the individuals behind them.  Some expect the cyber insurance market to surge significantly headed into 2031, with an estimated compound annual growth rate of 23.78%.  It’s evident that organizations acknowledge in a digital world cyber insurance is a necessary complement to existing security strategies to reduce their risk.  However, the average price for cyber insurance rose 79% in the United States in the second quarter of 2022, after having doubled each of the previous two quarters showing that insurance is becoming an expensive option with carriers adjusting what they cover accordingly.

What is further adding insult to injury is the position that many cyber insurers are adopting with respect to hostile cyber attacks affecting their clients as a result of what it identifies as “cyber war.”  In the wake of elevated cyber attacks driven by geopolitical events, many companies are rejecting claims from their clients as damages caused by cyber war, and therefore, not covered by policies.  Indeed, in August 2022, prominent insurer Lloyds of London announced that its insurance policy would no longer cover any loses determined to originate from nation-state attacks, or similar acts of war.  Similarly, a 2023 ruling in New Jersey found that the damage suffered by pharmaceutical company Merck as a result of the NotPetya attack did not have to be paid by the insurers because the U.S. government had determined that it was the result of a foreign government.

For there to be “an act of war,” there must be some level of attribution acceptable to levy culpability on a state government.  Cyber attribution is notoriously difficult, and often requires a substantial investment of time and diligence to uncover the true perpetrators.  While attribution efforts have improved over time, it is still an imperfect practice, even at the government level, which rarely shares how it determined actor attribution due to persevering classified sources and methods.  While this may be understandable, it does require those without that special access to “trust,” even though governments may have larger, political reasons to make such determinations public.  Clever states can implement “false flag” operations, wherein actors attempt to obfuscate their true identities by making it appear their actions were the work of another state, potentially causing mistakes in actor identification.

In the case of Lloyds, the company accepted government attribution to be enough to consider any state-on-state action that caused substantial damage enough to call it an act of war.  But this is not to say insurance companies will rely on governments to assign blame for hostile cyber malfeasance, as they are not bound by their definitions.  For example, Lloyds defines cyber war as “cyber operations between states which are not excluded by the definition of war, cyber war, or cyber operations which have a major detrimental impact on a state.” The policy does not require any confidence of government attribution, which provides insurers liberal scope when it comes to making any determinations as being cyber-war related. 

But what about state actors engaged in an attack during a period of tension but short of an armed conflict?  The Russian-attributed Black Energy, Industroyer, and NotPetya attacks all occurred during periods of geopolitical tension between Russia and Ukraine, impacting critical infrastructure and by extension, affecting civilians.  Though these occurred long before the 2022 Ukraine invasion, they do highlight the complexities of state cyber attacks against another state, particularly with respect to trying to determine the intent behind the attacks (purposeful destruction or minor disruption?) and quantifying the actual effects caused as a result of them. Were they deployed as instruments to conduct (cyber) war or just mechanisms to signal state animosity toward another state?  Geopolitical tensions and area hotspots that spill over into cyberspace will invariably elicit similar hostile activity, some of it state driven or state sanctioned via proxies, and not all of it intent on perpetrating “cyber war.”  

In much the same way insurance companies helped codify another abstract causation – Act of God – so they may play a part in helping states on the international level codify the parameters by which cyber war and cyber attack can be legally defined.  The Act of God clause was instrumental in providing a legal definition for those accidents or other natural phenomenon caused without human involvement and could not have been prevented by reasonable foresight.  When attempting to define cyber war, similar challenges arise trying to contextualize a multi-faceted and enigmatic issue that has roots in traditional warfare, geopolitics, and the ability to inflict substantial specific, as well as collateral damage.  What’s more, failing to have such a definition has enabled cyber hostilities to perpetuate unchecked on the international stage.  NATO made some headway in trying to reign this in when it acknowledged that a cyber attack could trigger Article 5 of its defense clause, but stopped short of defining what that attack would look like.  What’s left is an enigmatic “red line” that if crossed could warrant retaliation, although what that is remains largely unknown, both to NATO and cyber aggressors.

For several years, the United Nations’ Group of Government Experts (GGE) and Open Ended Working Group (OEWG) have tried to codify responsible state behavior in cyberspace, and while there has been consensus that International Humanitarian Law applies to cyberspace, there has been less success in obtaining consensus when it comes to the specifics of cyber-related definitions, which has hindered progress.  There may be a hesitancy to commit to any specific codification that could restrict states’ abilities to operate independently as they attempt to bolster and protect their own strategic interests and objectives.  Still, the longer such terms go undefined, the more “acceptable” it will be for the types of cyber hostilities to continue without any meaningful way to deter and punish them.  State-driven cyber attacks will continue with watchful eyes seeing if an attack or campaign crosses an equally undefined “red line” that prompts a measured response.

The more international insurance companies gravitate toward not covering damages resulting from “cyber war,” the more they may ultimately help codify what cyber war is, even as nation states continue to wrestle with the concept.  Generally, insurance policies exclude coverage for losses from war-related activities, as such events are out of the control of the policy holders.  Similarly, insurers consider losses or damages resulting from state actor attacks or are the product of geopolitical conflict are not to be covered by cyber insurance policies for the same reasons.  This is why prominent cases like Zurich Insurance v. Mondelez and Merck v. ACE America may ultimately prove pivotal in setting precedent as to what constitutes a cyber act of war, and succeed where UN GGE and OEWG efforts have stalled.  The way the private sector is finding that it cannot separate itself from the larger geopolitical landscape, so may governments find that the private sector will be drivers of how to codify what goes on against it and set standards that governments may tweak but ultimately follow.  When it comes to issues in cyberspace, most believe public-private cooperation is essential to dealing with the threats that transpire within the digital domain.  What’s happened with respect to insurance claims, this sentiment may extend to state policies as well.