Will your cyber insurance cover you if a cyber-attack is an act of war?

Quorum Cyber has already written about the increased potential for phishing attacks using the conflict in Ukraine as a lure (see our Threat Intelligence piece ‘Security Guidance: Ukraine Russia 2022‘), but will your current cyber insurance pay out if your organisation is hit by a cyber-attack?

It should come as no surprise that cyber insurance costs have risen sharply in recent years. That’s a direct consequence of the rise in the number of cyber-attacks and threats every year and the damage they can potentially cause to organisations of all sizes.

Cyber doesn’t respect boundaries and so collateral damage can be, and historically has been, inflicted on unintended targets. Unfortunately, because of the war in Ukraine, exemption clauses within cyber insurance policies come into effect meaning that, should you be impacted by a cyber-attack which is instigated by, or related to, parties involved in the conflict, then your insurance provider has the right not to pay out for any related expenses incurred in responding to, and recovering from, the incident.

Quorum Cyber has checked several different cyber insurance policies from different providers and, so far, all of them have contained exemptions for paying out if the incident is in any way related to a national conflict, irrespective of whether war has been officially declared or not.

Even before Russia invaded Ukraine, company bosses were becoming increasingly concerned about the growing risks of cyber-attacks on their business’s health. According to the Allianz Risk Barometer 2022, the 11th year of the report, “cyber perils” are the number one concern for companies globally this year. Published in January 2022, the insurance company’s report says that cyber incidents rank in the top three perils for businesses in most of the 89 countries it surveyed, with “the recent surge in ransomware attacks” driving this worldwide trend.

So, while cyber insurance should cover any financial losses and legal costs, it won’t guarantee that cyber-attacks don’t damage your business in the first place.

The bottom line is, as with all insurance policies, the devil is in the detail. It’s highly recommended that you read any insurance policy before you sign on the dotted line. Furthermore, if you already have a policy it’s worth digging it out and checking the small print.

Overall, a three-pronged approach is best: train your employees in how to minimise the risk of making mistakes that could lead to a breach in the first place, partner with a qualified and experienced cyber security company so that your organisation is protected by experts equipped with the latest security technologies, and buy a cyber insurance policy that covers you as comprehensively as possible in today’s unpredictable digital environment.