In 2017, Merck lost an eye-popping $1.3 billion when it got caught in the crossfire of a Russian cyberattack targeting Ukraine. The event, later dubbed NotPetya, was the largest cyberattack in history, costing $10 billion worldwide — economic damage akin to a medium-sized hurricane, or a small war. Western governments vowed to hold Russia accountable, yet none stepped forward to support the companies that were hit by the attack.
Insurance was more helpful — to a point. The insurance industry sells policies specifically designed for cyber incidents, but their scope and scale remain limited. Cyber insurance paid for just 3% of NotPetya’s global damage, leading some NotPetya victims to turn to other insurance policies with more ambiguous terms. For example, Merck invoked property and casualty policies that covered all manner of hazards without explicitly mentioning cyber incidents. These policies had so-called “war exclusions,” which barred coverage for damages due to “hostile or warlike actions” by governments or their agents. Many insurers cited these clauses to push back on the claims, triggering high-stakes legal battles that continue to this day.
NotPetya and the ensuing lawsuits made it clear that modern businesses face a level of cyber risk that vastly exceeds the protections they can rely on from either insurance or government relief. To address this shortfall, business leaders must work with insurers and policymakers to devise practical, long-term solutions. And in the short term, CEOs must prepare for cyber catastrophes as if no cavalry is coming — because for most businesses, there likely isn’t.
Prepare your company for today.
What does this look like on the ground? Companies should start by ensuring their cyber risk assessments include a geopolitical component. In the age of cyber conflict, international tensions anywhere can cause collateral damage everywhere.
High-profile companies are especially appealing targets for state-sponsored hackers looking to wreak havoc during geopolitical crises. These cyberattacks often target businesses seen as ambassadors of their nations (such as Bank of America) or those with politically active leaders (such as Las Vegas Sands). For other companies, cyber espionage is the bigger threat: state-backed cyber spies may seek intellectual property from advanced industries, or customers’ personal data from finance or travel companies. And even if you don’t fit into any of these categories, there is still a growing risk of scattershot ransomware attacks by state-sponsored criminals randomly impacting your business.
Armed with an understanding of the wide variety of geopolitical cyber threats that could endanger their business, companies should thoroughly audit their insurance coverage and have frank conversations with insurers and brokers about any war exclusions. These clauses are ubiquitous, but insurers who sell policies specifically tailored to cyber risk are currently much less likely to enforce them because they don’t want to scare off their customers. Also, exclusion language varies, so there may be room to negotiate. Many policies limit the scope of their war exclusions by carving out exceptions for “cyber terrorism,” a broad term that could potentially restore coverage for many state-sponsored incidents.
In addition to exploring ways to bolster their coverage, companies should also invest in developing resilience to cyberattacks. It will never be possible to have 100% confidence in your ability to prevent a state-sponsored attack, so it’s prudent to make plans to survive one. Standard measures like backing up data, segmenting networks, and practicing recovery plans focus on limiting the damage caused by an incident and speeding up recovery. But a company’s cyber resilience also depends on its overall resilience in other areas. For example, supply chain resilience can help a company survive if a key supplier experiences a cyber disruption. Similarly, financial resilience in the form of cash reserves or access to credit can help businesses pay bills after a devastating cyberattack — especially if insurance claims are stuck in legal limbo.
Invest in a long-term solution for tomorrow.
While these short-term moves are necessary, individual businesses can only do so much. The Carnegie Endowment for International Peace recently published a report on the systemic challenges posed by state-sponsored attacks and other cyber disasters. To gain a better understanding of the scope of the problem, we talked with leading companies, reinsurers, regulators, and academic experts about the financial fallout from events like NotPetya. Our conclusion? The private and public sectors must work together to develop a new financial framework to address cyber risk long-term.
The first step is to draft clearer and more practical terms for cyber insurance coverage. Ambiguity doesn’t help anyone. The coverage should reflect basic principles of insurability, while minimizing the role of vague concepts such as “warlike actions.” New policies could exclude certain specific catastrophic events based on their likelihood of exceeding insurers’ financial capacity.
For example, many insurers worry about “cyber-physical” events — that is, hacking incidents with major real-world consequences, such as a cyber disruption that impacts water treatment facilities, or Russia’s temporary disruption of Ukrainian power grids in 2015 and 2016. So far, these events have been rare and localized. But the risks are increasing as more and more physical systems are digitized. An insurance exclusion could specify these and other catastrophic events, whether caused by state actors, criminals, negligent employees, or lightning strikes. This would be clearer and simpler than today’s war exclusions, reducing the need for intensive litigation to determine coverage.
Next, governments can help ensure that robust cyber insurance is financially viable by providing last-resort coverage for extreme cyber events. Insurance experts have modeled some frightening possibilities that could test the limits of private markets. For example, analysts have determined that a worst-case scenario global malware outbreak could spread even faster and cause greater disruption across more industries and countries than NotPetya did. This could cost up to $193 billion — the financial equivalent of another Hurricane Katrina — and wipe out decades of insurance premiums in one fell swoop. For cases like this, governments could promise to pay for at least some of the excess damage, thereby backstopping the market.
No country has yet implemented a cyber insurance backstop, but the United States and others are studying the idea. There is ample precedent: several countries have backstops for terrorism insurance, and these programs can actually save taxpayer money. The coverage guarantee boosts both supply and demand for insurance, helping insurers build up a larger reservoir of premiums which in turn makes them more able to provide payouts when needed. And when a major disaster does strike, this financial reservoir goes directly toward funding recovery, so that neither governments nor insurers have to shoulder the entire burden alone.
Finally, while insurers and governments have a key role to play, the business community can’t afford to sit on the sidelines and wait for them to come up with new support systems. Companies should talk to their brokers and carriers today about what they would like to see in the new cyber coverage frameworks that are being developed. Policyholders must have a voice in setting clear, practical, and reasonable terms. Businesses can also lobby governments to support the cyber insurance marketplace by instituting backstop programs where necessary.
Cyberattacks pose serious risks — but businesses are not helpless in facing them. In the short term, business leaders can start to increase their preparedness by understanding their vulnerabilities and planning for worst case scenarios. In the long run, companies will have to partner with insurers and governments to develop comprehensive solutions. There’s no avoiding cyber risks entirely, but the decisions we make today will determine if the next major attack means financial chaos or just a bad day at the office.