How Will Carriers React to a Cyber Attack by Iran?
By David Chavez, Attorney, CRISC | 1.8.2019
The killing of Iranian General Suleimani has generated speculation that Iran could respond with a cyber-attack. If that happens, expect that insurance claims filed as a result of damage from the attack will be denied by application of the war exclusion. Such denials would follow on the heels of a notable case filed against Zurich for its refusal to pay a property claim, in which Zurich invoked the war exclusion after damage caused by the notorious NotPetya virus.
Many observers are skeptical of Zurich’s position in that case. NotPetya is only one of the many viruses that have circled the globe, and Zurich’s denial is the most notable invocation of the war exclusion for a cyber-attack. Like its forebears, NotPetya has not been claimed by any organization or government claiming credit for the virus, including Russia. While evidence points to Russia, the Russian government has not taken credit. There is evidence however, that the virus began its global infection in the country of Ukraine which was, and still is, at war with Russia for Russia’s asserted annexation of Crimea.
But if a cyber-attack occurs and Iran is fingered as the culprit, denials by carriers invoking the war exclusion will be supported by a different set of facts from the Zurich case. Here are the reasons this one will be different:
1. Iran will likely take “credit” for an attack. Intelligence agencies attributed the NotPetya attack to Russian state players, a fact which in combination with the identification of Ukraine as the target, precipitated Zurich’s denial. And even though the US isn’t at war with Russia, Russia is still at war with Ukraine. Typically, the war exclusion does not require that the policy holder reside in or be operating within the jurisdiction of one of the warring parties. In fact, typically, the exclusion simply states that claims “resulting from war or a hostile action” are excluded from cover. So, technically, a war between Russia and Ukraine can be the basis for a claim denial in the US if there’s a causal connection between the hostile act and the actual hostilities.
Many (but not all) war exclusions require that the hostile act originate from a de jure or de facto government or agency. Rogue operations or acts of terrorism are actually covered in those particular policies (if not otherwise excluded). If the Iranian government retaliates for Suleimani’s killing through a cyber-attack, I expect that they’ll take credit for it. Even if they don’t, the US intelligence agencies will probably be able to identify the responsible parties and, if it’s Iran, then, it is highly likely to be characterized as a “hostile act by a foreign de jure or de facto government”.
2. Any retaliatory strike will likely be targeted. NotPetya was, for lack a better word, a wild virus. Once it infected its Ukrainian target, the worm wriggled its way across the world, infecting systems across the globe. In fact, there are reports that NotPetya even came back to bite Russia’s state-owned oil company Rosneft. Despite the tremendous damage that NotPetya caused, its genesis was akin to an act of vandalism, or an act of arson, that had devastating consequences.
Wild virus exclusions used to be common, but fewer carriers are differentiating and excluding losses causes by them. Coverage expanded to include wild viruses mostly due to competitive pressure, but carriers continue to have a tough time credibly underwriting their exposure from a wild virus. It is likely that they have determined that their aggregated risk is low considering that their underwriting includes questions about ubiquitous security controls that can reduce risk. Of course, any new virus written to subvert common controls is a highly uncertain risk so carriers are learning to cope with ever-evolving security threats.
If Iran retaliates through a cyber-attack, one expects that they will target their efforts to affect military or strategic assets, not random US businesses. Disruption of the US economy is not likely to get them much strategically, and it could be seen as non-proportional and merely provocative. However, if they do plan their attack to affect specific large enterprises, such as the stock market, or parts of the US utility grid, then yes, chaos may ensue, and the attack will trickle down to affect any system, enterprise or individual transacting with the attacked site. The question then is, how will carriers react to “trickle down” effects from a cyber-attack?
3. Disruption will likely cascade from targeted sites, pulling into play additional exclusions and carve-backs. If a cyber-attack is directed at the power grid, or the Federal Reserve System, any entity that is connected to such institutions will be affected. And consequently, the suppliers, customers and clients of those entities will be affected.
If a cyber-attack results in a cascading effect, then the overriding question will become one of causation. Sure, the resulting chaos began with a cyber-attack which may have very well been an act of war, but does that necessarily mean that resulting losses and damages are excluded by the war exclusion?
An attack on the power grid, even one considered a “hostile act” could still be covered under some policies. While infrastructure losses are often excluded, some carriers provide a carve-back for cyber events, meaning that the exclusion does not apply to a defined cyber event. The question then becomes, what caused the loss – the hostile act or the failure of the infrastructure? The loss began with a hostile act, so it would seem that the war exclusion would deny coverage. But the carrier also anticipated an infrastructure failure and agreed to provide cover for such an event. The issue becomes more acute when considering whether the targeted infrastructure failed to maintain security controls as anticipated by its customers and its carrier.
The threat of cyber war is a very real, 21st century threat. And invocation of the war exclusion will no doubt infuriate policyholders that rely too heavily on risk transfer. Policyholders need to take steps to prepare for the threat or war and a denial of coverage by their carrier. Some of those steps include:
1. Review your policy. Understand the exclusions and ask for clarification from the carrier if you have any questions about cover. Affirm that your limits are appropriate and determine whether sub-limits apply. If cyber risks are not mentioned in your policy, ask you carrier for its position on “silent cyber”. Be on the lookout for an “anti-concurrent causation clause” in your policy. They serve to exclude claims if the claims arise from an excluded event, even if other parts of the policy provide some cover.
2. Review your risk profile and determine what is at risk in the event of a cyber-attack. Know the number, type and value of your assets that are at risk. Understand your supply chain and how security breaches could cascade into or out of your enterprise. Have an incident response plan in place.
3. Prepare your perimeter. Test your environment for vulnerabilities. Review your security controls and assure that all are up to date. Run table-top exercises to make sure your team is prepared for an attack. Consider a red team exercise, designed to simulate an attack on your defenses.
Most observers expect that a cyber war is on the horizon. Whether it begins with Iran or any other global hostilities, policyholders must be prepared by optimizing their environment and understanding the breadth and limitations of their cyber insurance.