• XRATOR
  • Our Experts
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Cyber Insurance

Cyber War, Undefined By Military, Rationalized By Insurers

Ronan MouchouxbyRonan Mouchoux
January 11, 2022
in Articles, Cyber Insurance, Cybercrime, Risk Management
1
Cyber War, Undefined By Military, Rationalized By Insurers

Abstract

  • Major Cyber Insurance now exclude Cyber Operation and Cyber War from coverage.
  • International Laws of Armed Conflict do not define what is “cyber war”.
  • Pricing surge and flood of exclusions make customers question the relevance of Cyber Insurance.
  • Cyber Insurers will have to remodel their underwriting and mindset to address the real risks of the 21st century.

Cyber Insurance do not insure against Cyberattacks (?)

Over the last year, the cyber-insurance market has been seriously shaken. After almost two years of ransomware epidemics, 416M$ in 2020 and 590M$ for only the first six months of 2021 have been payed in ransom according to the US Treasury.  Cyber Insurers had to reshape their protection policy and double or triple the cost of their premium with the threat of contract termination.

In the past few months, in addition to strong limitation of ransomware attacks coverage, Lloyd’s of London made the headlines by adding to its exclusion clauses four cases regarding Cyber War and Cyber Operation.

But what is a “cyber war” or a “cyber operation”? Does a state-sponsored cyberespionage campaign fall into those categories? Would a data leak performed by a hacktivist be considered as an act of terror? At one point we can even ask ourselves : what does a cyber-insurance really cover ?

Cyber War and Insurance

War. Beyond movies, series, books, war is first and foremost defined by law. “The rules of engagement”, jus in bello. It defines what a war is, how you can rightfully start one, what you are allowed to do during operation. It is now settled in the International Humanitarian Law (IHL), also referred to as the Laws of Armed Conflict. And cyber is not included in them.

Military and Defense observers always seem reluctant to use terms such as “cyber war”, “cyber conflict” or “cyber terror”.

“Cyber war has never happened in the past, [that] cyber war does not take place in the present, and [that] it is unlikely that cyber war will occur in the future”

Thomas Rid, Journal of Strategic Studies, Volume 35, 2012.

But some disagree, sometimes for philosophical reasons, and sometimes, for other interests.

NotPetya 2017 attacks and Insurance Exclusion

You may recall this gigantic wiper malware attack in 2017, dubbed NotPetya. This cyber attack, disguised as a ransomware operation, was in fact a sabotage operation performed by the hacker group Telebots/GreyEnergy.

One striking example was then the Mondelez case. Hit by approximatively $100 millions of remediation costs, their Insurer (Zurich Insurance) cited the “war exclusion” to avoid paying the Policy.

Collateral damage of cyberattacks on civilian population

Nation-state and Terrorist cyber operations have always been a tricky area for Cyber Insurance. The systemic feature of cyber makes those risks harder to quantify and thus, to make sustainable actuarial arbitration on them. An attack performed by a state or terrorists that hits critical infrastructures can indirectly affect corporations and civilians.

Some Military and Defense Observers may object that cyber war is a buzzword used by lousy politicians and fear-based moneymakers, but some cyber operations do affect populations just as a war does. The Red Cross, for example, did extensive research and documentation about the potential human cost of cyber operations. From their perspective, the International Humanitarian Law does apply in cyberspace, opening the logical following discussion about the concept of cyber war.

Cyber Attack Attribution: a tool, or a weapon?

The difficult exercise of cyber-attack attribution is well-known by specialists. The fog of the matrix lets only very few institutions in the world capable of building a strong attribution backed by solid evidence. Cyber attack attribution is first a political matter, before a technical one. And these evidence might be either too secret to be disclosed or too complex to be understood by the general public. The validity of the attribution may just be resumed to this: how much do you (want to) trust the one making it? Without attribution, to a State or to a backed mercenary group, the qualification of “Cyber War” is out of reach.

This shadowy condition leads to another trust issue. When an insurer invokes the “war exclusion” clause for a cyber-attack, based on political attribution, the question about their underlying motivation will necessarily arise. A cynical interpretation could be that the insurer wants to cut all risky operations, when people really need them, to preserve their margin on unnecessary products and coverage.

Insurers have greater purposes than just making money

The concept of Insurance as “Mutual Rescue” has existed since the first commercial exchanges by the Babylonians, the Chinese and the Indians. It then expanded with the “bottomry loan” when the Greeks and the Romans loaned money from banks and if their adventure failed, they didn’t have to pay it back.

Insurers have always played a role in the search of protection, by civil population or merchants. Nowadays, with corporations redefining or signalling their “social purpose” or “raison d’être”, insurance companies may be wise to think twice about their role in our society that is pervasively cyber.

2022 may be the year where they enforce too many limitations in their offer, up to the point where people might lose the understanding of their purpose and stop tolerating pricy coverage that does not appear to keep their company secure. Or the year where they remodel their underwriting and mindset to address the real risks of the 21st century.

Tags: Cyber StrategyCyberespionageDestructive malwareGeopoliticsHuman & SocietiesSystemic RiskWarfare

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    0 shares
    Share 0 Tweet 0
  • Understanding and Mitigating the Risk of Computer Memory Exploitation

    0 shares
    Share 0 Tweet 0
  • Three Social Impacts of Ransomware Operations

    0 shares
    Share 0 Tweet 0
  • Methods to Conduct an Insider Threat Risk Assessment

    0 shares
    Share 0 Tweet 0
  • Why Lockbit does fake cyberattacks ?

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}