On June 30, 2020, NetDiligence’s panel of experts took up the topic of Cyber War and Terror as part of the Virtual Summer Summit. Led by moderator Erica Davis (Guy Carpenter), panelists investigated the challenges of clarifying cyber policies to create uniform and fair exclusions in an environment where threat actor identities, intentions, and affiliations may be hidden, and territorial boundaries may lack meaning.
Panelists Keith Wojcieszek (Kroll) and Matthew Prevost (Chubb) led off with a discussion of how cyber attacks make simple questions about attribution difficult. Wojcieszek noted that threat actors rarely take public responsibility, so determining where an attack comes from or who has perpetrated it may be problematic. Actors may have multiple affiliations, working for one nation state, but moonlighting for an unaffiliated terrorist entity. Furthermore, different stages of an attack may be perpetrated by individuals in different locations or with different affiliations. Prevost added that these questions may even be superseded by uncertainty whether an attack has even occurred.
Once an attack has been confirmed, what seems to be a straightforward case of a bad actor attempting to extort money from a company may quickly cascade into a situation where a region’s systems and infrastructure are affected. If the attack cripples the energy or finance sector, shuts down government or healthcare, or paralyzes transportation infrastructure, is the attack an act of terrorism? Wojceiszek suggests that intent matters. Are system failures the main target or collateral damage? What happens when the collateral damage spreads to other territorial regions as failures cascade through multi-national companies?
Looking beyond technical considerations, Cyrus Delarami (MunichRe) added that defining war or terrorism depends on political and legal systems as well. The determination of exclusions may depend on government response to attacks, but this laborious process may create intolerable delay. Forensic investigation may be hampered if evidence is classified, slowing the insurer’s ability to get a client back up and running. Finally, if an attack spans multiple jurisdictions, making a determination will be impacted by multiple (possibly inexperienced) court systems.
Wendy Davis (WillisTowersWatson) provided a useful comparison regarding exclusions from her long experience in property/casualty lines, stating that attribution is not as great an issue there, because these lines will focus more on results/damage. Delarami noted that this impact-based approach as a solution is being actively discussed in the industry. If intent and attribution cannot be well-defined, loss thresholds may provide a clearer benchmark.
More analysis and consensus are desirable, and the 2019 renewal of TRIA shows that US legislators would agree. As part of its renewal, the act called for more research: How can the industry analyze vulnerabilities and costs associated with attacks on infrastructure? Is covering cyber under property adequate? Can risks be adequately addressed by private underwriters? Despite the number of knotty questions facing the industry, the panelists see the opportunities for development. And, the panel ended with optimism on one point: clarity of language can be achieved with greater collaboration.