When Is a Cyberattack an Act of War?
Published on Nov 28, 2023
The nature of warfare is always changing. One of the most recent developments involves the use of cyberattacks by government-sponsored actors. These attacks lead to the question: when is a cyberattack an act of war? And, perhaps more importantly for many businesses, when is a cyberattack ineligible for insurance coverage due to war exclusions?
Not all hackers are lone criminals working in secret to make a quick profit or take down their enemies – some criminal groups are backed by governments.
According to Strategic Risk, state-sponsored cyberattacks typically aim to commit espionage, disrupt services, or identify and exploit vulnerabilities in national infrastructure. However, attacks may also seek monetary gain to fund future attacks by targeting customer data from private businesses. Russia and China are behind most state-sponsored cyberattacks, but the North Korean and Iranian governments are also known to sponsor attacks.
Several well-known attacks have been linked to government-sponsored groups, including the WannaCry ransomware attack that disrupted NHS facilities in the UK along with many other organizations around the world. According to the Council on Foreign Relations, the US, the UK, Australia, Canada, and Japan issued statements accusing North Korea of being behind the 2017 attack. In 2018, the U.S. Department of Justice announced criminal charges that alleged North Korean entities were responsible.
State-Sponsored Cyberattacks and the War in Ukraine
State-sponsored cyberattacks often increase during times of war. This appears to be the case with the war in Ukraine.
The National Cyber Security Centre says Russia appears to be behind a series of cyberattacks that started at the same time as the invasion of Ukraine. One such attack was against Viasat, a commercial communications company. Although the attack targeted the Ukrainian military, it impacted personal and commercial users as well as wind farms in central Europe.
According to a report from Google’s Threat Analysis Group, Russian government-backed attackers have launched an aggressive and multipronged cyber campaign that includes an increase in spear-phishing to target NATO countries. The report predicts with high confidence that Russian attacks will continue against Ukraine and NATO partners.
Labeling Cyberattacks as Acts of War
Although some cyberattacks are sponsored by government entities – and an increase in cyberattacks may even be associated with a declared war – identifying cyberattacks as acts of war is not always simple.
One issue is that the source of the attack may not be immediately known. Other issues involve definitions of what counts as an act of war. These definitions have evolved in recent years as cyberattacks have become a greater threat. In 2010, NATO officially recognized that cyberattacks could reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. In 2014, NATO endorsed a new cyber defence policy that means a cyberattack could be grounds to invoke Article 5 of NATO’s founding treaty.
State-Sponsored Cyberattacks and Insurance Coverage
Determining whether a cyberattack counts as an act of war may have significant geopolitical implications. It can also impact insurance coverage.
As Investopedia explains, a war exclusion clause in insurance policies excludes coverage for damages related to war or similar activities. Standard insurance policies commonly include war exclusions because insurers might be unable to remain solvent if they have to pay for thousands or millions of claims associated with largescale war. Organizations that need war coverage may be able to purchase a standalone policy.
War exclusions aren’t limited to property and business interruption policies. According to Dark Reading, cyber insurance policies also typically include war exclusions. Insurers have used these exclusions to deny coverage, such as when companies filed claims for NotPetya malware. According to the Brookings Institution, the NotPetya attack has been blamed on Russia and is believed to be part of the conflict between Russia and Ukraine, although its impact spread beyond the region.
The New Lloyd’s Cyber War Exclusion
Lloyd’s of London has new requirements for state-backed cyberattack exclusions in standalone cyberattack policies. Among other things, the new requirements say standalone cyber policies must exclude losses arising from war, regardless of whether the war is declared. Policies must also provide clear definitions of all key terms. Insurers must include the new cyber war exclusions in new policies and renewals from March 31, 2023.
According to Insurance Journal, the introduction of the new cyber war exclusion was met with criticism and confusion. S&P Global says some insurance buyers are even questioning the value of cyber insurance in light of the new exclusions. However, Insurance Journal notes that the most commonly-used cyber war exclusion does not exclude state-sponsored attacks unless certain requirements are met, including that the insured digital assets are located in a state that has experienced a major detrimental attack.
Securing Cyber Insurance
Since many cyberattacks are state-sponsored, it’s important to understand how a particular cyber insurance policy will treat such attacks. The bad news is policies may exclude attacks that can be considered acts of war. The good news is cyber insurance policies are starting to define these terms more clearly to ensure policyholders know what their policies cover and can avoid lengthy legal disputes.
Do you need help securing cyber insurance for your clients? Costero Brokers offers creative solutions to help you solve your clients’ coverage challenges. Contact us.