The war in Ukraine raises a question for general counsel about the adequacy of their organization’s cybersecurity liability coverage, says an attorney who helps companies stay safe against ransomware attacks and other risks.
Many cybersecurity policies include a provision exempting carriers from having to pay their insureds if a breach is war related, Newmeyer Dillion Partner Jeff Dennis said in an interview.
Although each policy exemption is considered on a case-by-case basis, such a provision could mean any breach that’s attributed directly or indirectly to a state-sponsored actor could leave an organization exposed.
Given the heightened threat posed by the Russian war in Ukraine, which could ensnare organizations in the United States because of the economic sanctions the federal government has imposed on Russia and the military assistance it’s providing to Ukraine, companies could find their coverage inadequate.
"The last thing you want to happen is to think you’ve got a great cyber policy in place, get hacked by a Russian-backed state agency or someone who’s directly tied to the Russian government, and have your insurer come back and say we have an exclusion per the language of the war exclusion,” Dennis said.
Declaration of war
If the exclusion is narrow, general counsel will have a clear idea of the risk their organization faces and whether they should pursue new coverage.
"There are policies which require an actual declaration of war, so that’s very limited,” Dennis said. "Depending on the language, if there’s no formal declaration of war from Congress, the exclusion may not apply.”
The last time Congress issued a declaration of war was almost 80 years ago, during World War II. Since then, conflicts involving the U.S. military have been conducted on the basis of resolutions and other authorities.
But some policies might not require a formal declaration or they contain language that can make coverage ambiguous.
"For some carriers, it will be a general, vague war exclusion that you could argue for years and years in terms of whether it applies to one of these attacks or not,” he said.
Even though the U.S. isn’t a formal combatant in the conflict, the federal government has asked the private sector to step up its cyber defenses against the heightened risk environment stemming from the war.
"The Russian government is exploring options for potential cyber attacks.” President Biden said in a March 22 statement. "My administration will continue to use every tool to deter, disrupt and, if necessary, respond to cyber attacks against critical infrastructure. But the federal government can’t defend against this threat alone.”
Much of the administration’s concern is over the security of the country’s critical infrastructure – power grids, nuclear plants, fuel pipelines – which is mostly privately owned, but companies and organizations in all industries are potential targets.
"If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately,” Biden said.
Along with the statement, the administration released a list of best practices for organizations to harden their cyber defenses, including using multi-factor authentication, maintaining data backups and encrypting.
As best practices, the measures don’t have the force of law but counsel can expect insurers to use these and other standard practices in deciding whether, and at what cost, they’ll make cyber coverage available.
"These cyber defenses that are called out in the fact sheet are not new,” Dennis said. "They are already the basics of reasonable cybersecurity. Multi-factor authentication has become a low baseline. If you don’t have this, don’t even apply; you’re not going to get coverage. In a lot of ways, the insurance companies are pressing cybersecurity defenses through their refusal to underwrite certain risks.”
The type of coverage an organization can get and at what cost depends on a number of factors, including the size of the business, the amount of data, whether the data is intellectual property or personal information, and so on. But no matter the particulars, counsel can expect insurance to be more expensive and the application process more technical than just a few years ago.
"Three or four years ago, when ransomware payments were $10,000, $15,000, $20,000, insurance carriers didn’t spend a whole lot of time pushing back against their insureds for payment of ransomware,” he said. "But if you’re talking about millions of dollars of ransomware coverage, now it’s a different economic conversation. Insurance companies are not in the business of losing money. So they take a harder look.”
Counsel thinking about changing or updating their coverage can expect an application that’s 10-15 pages long rather than the 1-2 pages that used to be the case. And the underwriting is far more involved. If you say your company trains employees on security best practices, for example, be prepared to show proof.
"A lot of insurance companies will do their own external audits of your systems that are based largely on AI and the like before they’ll place a policy,” Dennis said.
The administration’s best practices can also be expected to set a baseline if your organization gets breached and you end up in court.
"If companies don’t have these [best practices] already and they suffer a data breach, they will have trouble explaining to a court or a jury or regulator they have reasonable cybersecurity in place,” he said. "It’s just another reminder to companies that they need to be paying attention to this stuff. Sticking your head in the sand is no longer a defense in the cybersecurity space.