Ukraine war could increase risk of cyberattacks
08 March 2022
Fitch Ratings, the American credit rating agency, has warned the risk of cyberattacks has increased following Russia’s invasion of Ukraine and may test the effectiveness of ‘war exclusion’ and ‘hostile act exclusion’ language in policies.
The proliferation of potential cyberattacks from well-organised, state-sponsored hackers is elevated given the current war
The agency says that the wording in policies, already under greater scrutiny following a recent court ruling that found an insurer liable for losses stemming from the 2017 NotPetya malware attack, may be further tested by Russia’s actions.
Fitch Ratings believes increased ransomware events have caused elevated losses; cyber insurance companies have responded by increasing premiums and have required better cyber hygiene requirements for policyholders such as multifactor authentication.
This should help mitigate potential losses from the current war, but cyber insurance will have to evolve in kind to keep pace with the drivers of losses.
Fitch Ratings wrote: “The proliferation of potential cyberattacks from well-organized, state-sponsored hackers is elevated given the current war. Other P/C lines that may be affected include political risk and trade credit, property, marine, cargo, and aviation.”
According to Fitch, the NotPetya malware attack was largely attributed to Russian-linked hackers, with short- and long-term effects and billions of dollars in losses for global firms. Merck, the American multinational pharmaceutical company, suffered losses of Euros 1.27bn ($1.4bn) however, the claim was denied citing the policy’s ‘all risk’ language.
Cyber policies for U.S. P/C insurers have typically included ‘war exclusion’ or ‘hostile act exclusion’ language, similar to P/C exclusionary language found in other property lines of business, stipulating that insurers cannot defend against acts of war.
However, Fitch said that a recent ruling in New Jersey by a Union County State Superior Court Judge concluded that Merck was entitled to summary judgment because the war exclusion language was not applicable.
Significantly, the ruling indicated that the contract language of the insurance policy had been virtually unchanged for many years despite the evolving and increasingly common threat of cyberattacks, which can emanate from not only nation states but also covert, nefarious private sources.
The fallout from Russia’s invasion of Ukraine is still ongoing with, multiple analysts predicting the war is likely to expose insurers in many different areas.