A definitive line must be drawn between insurable cyber losses and uninsurable acts of war in order to provide certainty of cover to our clients. Our latest white paper focuses on this. “Cry Cyber and let slip the dogs of War”: Exploring the issues of attribution in the context of War and Cyber considers the difficulty surrounding attribution of losses following a cyber incident, why this presents a real challenge to (re)insurers, how we can begin to address the issue and why the role of a reinsurer is crucial in reaching a working and accepted solution.
The evolving nature of cyber-risk has blurred the previously well-defined line between covered perils and excluded acts of war. For example, the 2017 NotPetya cyber attacks, purportedly carried out by state actors targeting Ukraine, raised unresolved questions about what constitutes an ‘act of war’ in the context of cyber attacks. High-profile litigation ensued, which has amplified the discussion and revealed the real-world implications of this debate.
The main issue of war in the context of cyber stems from an attribution problem: the lack of either a credible or traditional identifiable party claiming responsibility for a cyber attack, or the inability to determine the proximate cause of a loss event. The (re)insurance market cannot rely on traditional reference points such as time, location, and attributable actors responsible. Cyber not only transcends traditional lines of business, but also challenges the very concept of war as the (re)insurance market understands it, arguably rendering current war exclusions unfit for purpose.
Traditionally an act of war goes beyond the realm of insurable interest. As such, attribution – identification of the parties involved – becomes a critical test of whether indemnity can or cannot be provided following a cyber attack. With subterfuge, misinformation, and third-party proxies, the attribution test can seem fluid. The market must strive to define the ‘Attribution Line’ at the crossroads between the unattributed and attributed.
It is equally essential to re-define what constitutes an act of war. Existing definitions are framed in the context of humanity’s historical conflicts, and traditionally demand ‘armed conflict between two or more parties, generally characterized by extreme violence… using regular or irregular military forces’.
We argue that weaponised non-physical assets such as coded intelligence networks and internet infrastructure could and should be considered in the definition of war. Activities deploying the internet and other non-physical assets to cause non-damage business interruptioncould be considered ‘cyber warfare’. An ‘act of war’ can be carried out only by parties in a ‘state of war’, and the conflict must fulfil at least some of the associated characteristics of ‘war’, but these criteria are not as clear cut as they have been.
Cyber is a peril, not just a class of business. We believe the reinsurance market has an opportunity to drive advances and instil appropriate practice, not just in relation to war-related issues, but in all aspects of the cyber threat. Our new paper does not pretend to offer definitive answers, but we hope it will encourage positive market dialogue and I welcome your feedback and views
Download the white paper here.