Russian War in Ukraine Making Waves in U.S. Cyber Insurance Scene; Cyberinsurance and War Clauses

The Russian invasion of Ukraine has far-reaching consequences, and in our interconnected world both the insurance and technology sectors are already bracing for impact.

Russia’s hyperactivity in both state-sanctioned and unofficial digital interference present a new variation on an old theme: that tech develops alongside human aggression. It’s no wonder then, that we’re seeing an evolution in insurance, both in terms of cyber event deterrence and in terms of an evolving discussion of covered events and payable claims.

As we dig into the effects of current events as they relate to the insurance industry, keep in mind we’re insurance nerds and not lawyers, and you’re responsible for your own legal research and compliance, and this summary is not intended to be a substitute for legal advice. Any cited sources in this article are credited, as applicable, however, occasionally we miss giving credit where credit is due, in which case, please reach out so we can correct, as needed. That said, allons y.

Russian hacking empire

Russia is hardly the only world power that uses digitally invasive techniques as a means of affecting their political allies and enemies. However, they do seem to have the largest share of ransomware gangs. 

Well before the country’s invasion of Ukraine, Russia was a hotbed of hackers and ransomware artists who were either ignored or encouraged by the government to exploit vulnerabilities in digital protections the world over. It’s what happens when you have an educated population with few jobs available to them.

So, as Prime Minister Vladimir Putin wages war on Ukraine, it’s not a stretch to think Americans – and anyone who opposes a Russian war in Ukraine – should be preparing for a digital onslaught. True to form, cyber experts have seen an uptick in cyber incidents across the U.S., although notably it’s not the full-out assault U.S. officials have warned of.

What does this have to do with insurance?

There are a few intersections between war and insurance. We’re digging into two facets of the discussion in this blog, cyberinsurance and insurance industry preparedness regarding cybersecurity.

Let’s start with cyber insurance, and, more broadly, “war” clauses in insurance contracts. Historically, insurance carriers frequently have war clauses that absolve them of financial responsibility in a contract if an event that would otherwise be insured is the result of an act of war.

In laypeople terms, that probably seems pretty straightforward. “OK, insurance carriers don’t want to be on the hook if a plane drops a bomb on your building.” And that’s a totally valid thought. But something to be mindful of is that the American judiciary has historically interpreted war clauses fairly broadly.

The Vietnam War, for instance, wasn’t a “declared” war, and Congress never issued a formal declaration of war. But, when considering property and casualty (P&C) insurance contracts covering supply chains and Vietnam agricultural investments, U.S. courts agreed carriers weren’t liable for damages that were (or even may have been) caused by U.S. planes.

Life insurance carrier contracts may also have war service exemptions, such as that in the 1955 Christensen v. Sterling Ins. Co. case. In that, the Supreme Court of Washington decided in favor of the insurance company. Feel free to read the decision at the Casetext link, but the TL;DR: A man in the U.S. military service died in an automobile accident in Alaska in 1952, when the U.S. was engaged in the Korean War. The court upheld the insurance carrier’s exemption that said “If the Insured shall die from any cause while in Military, Naval or Air Service of any country at war … the Company shall be liable only for a refund of the premiums paid, or the reserve … whichever is the greater…”

Cyberinsurance and the Russian conflict in Ukraine

These high-level historical hijinks become hyperrelevant when assessing insurance carriers’ cyber coverage contracts. 

This isn’t an American war, although America has certainly weighed in with sanctions against Russia. But, just because there aren’t U.S. troops and it doesn’t involve American soil doesn’t mean the U.S. won’t see any repercussions. While we’re already seeing supply chain disruptions and oil companies have used the crisis to justify increased prices and profit margins, the warned-about potential for increased cyber activity like ransomware and hacking may also cause heartburn even for those with cyberinsurance.

These questions and the likelihood of cyberinsurance coverage for Russian hacks were raised recently in a March 23 Insurance Journal event, Raising the Bar on Cybersecurity. Jeff Dennis of NewMeyer and Dillon ventured an answer that was en flique for legal and insurance nerds everywhere: “It depends.”

“Not all war exclusions are written in a uniform manner,” Dennis deferred. “Can we directly attribute the event to the Russian government? Did it target a U.S. company or is it more of a spillover event…? Is a specific declaration of war needed?”

Changes to insurance and cyber regulation

So, there’s perhaps no single answer as to the efficacy of cyber coverage when it comes to war. Yet, there are still a few certainties: The war in Ukraine has increased the pressure on the insurance industry to lead the charge on cybersecurity. 

Most recently, the White House signed new cyber reporting requirements for 16 different industries – including insurance and financial services – as part of an omnibus legislation. While these regulations are by no means the most extensive proposed, Congress clearly decided not to let “perfect” be the enemy of “a good start” in this legislation, driven in no small part by Russian aggression.

The requirements are more or less limited to mandatory reporting for cyber incidents, but it’s a start to coordinate an approach and get a comprehensive look at how attacks are happening and any commonalities in the data.

Even prior to the new regulation, many have started to see insurers as “de facto regulators” in the cyber space, so much so that the University of California – Irvine has a team dedicated to researching just that topic. The idea is so compelling that it served as the backdrop for a White House cybersecurity summit, which brought insurance professionals into Washington to discuss how insurance carriers can and are affecting the behavior and basic cyber hygiene of the infrastructures they insure.

The bottom line is that anyone looking for insurance coverage when it comes to their digital assets will need to be proactive in protecting their systems well before filing a claim. An ounce of prevention in this case is starting to look like it’s worth a pound of premium. Ha.

This trend was already the case well before Russia fired shots in Ukraine. But for those who had spotted the growing trend already, you can probably place a good bet that the war will quickly accelerate an emphasis on modern tools and data protection.
If you’re looking for ways your business can migrate into a modern century without taking on outsized risks to your data practices, check out what AgentSync can do for you.