Who to Blame for a Cyber-Attack?

Some 2,300 business interruption suits have been filed related to COVID-19, and a massive cyber-attack would surely produce even more--and more confusing--suits. 

Blue geometric background with binary code

A picture is worth a thousand words – and in today’s world can conjure a thousand theories.

On Sept. 26, a series of leaks and explosions in the subsurface Nord Stream pipeline produced foam in a half-mile radius across the Baltic Sea and endless discussion across social media, mostly revolving around one key consideration: Who was responsible?

It seems like a simple question, but in today’s polarized environment that is laden with geopolitical strife, it has proven to be anything but. More than three months later, the definitive cause for the event has not been identified as the probe continues.

While first-order disruptions from Nord Stream were largely confined to the property damage on the pipeline itself, the subsequent controversy and uncertainty stemming from this incident represents some of the problems that increasing geopolitical fragmentation can cause, and could be a harbinger for much bigger headaches to come, specifically in the digital realm.

See also: Cybersecurity Trends in 2023

Physical to Digital: What Attribution Issues May Be on the Horizon?

The next big cyberattack won’t create ripples in a body of water; it could create a tidal wave of supply chain disruptions, lost revenue and considerable disorder for both targeted entities and anyone else in their orbit.

And when it comes to the insurance claims that would inevitably follow, the same question may arise: Who was responsible?

This issue of attribution with respect to cyber risk could have major implications, and it is worth considering, following the release of four draft model clauses from Lloyd’s Market Association’s (LMA) Cyber Business Panel. These clauses, per Bulletin LMA21-042-PD, would "provide Lloyd’s syndicates and their (re)insureds (and brokers) with options in respect of the level of cover provided for cyber operations between states which are not excluded by the definition of war, cyber war or cyber operations which have a major detrimental impact on a state."

While there are differences across the four drafts, one consistency involves attribution in the below paragraph:

“Pending attribution by the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf (emphasis added). It is agreed that during this period no loss shall be paid."

While there are a number of legitimate paths for an insurer to assign responsibility for a cyber-attack, it could get tricky in a coverage dispute, especially if it is left to an insurer to designate the responsible entity – or government (for more on this, this article from DWF does an excellent job presenting more specific questions and considerations involved in attribution).

For one, experts in the cybersecurity space have expressed that providing false flags to steer an investigation into the origins of a cyber-attack is not a tall task. This uncertainty is compounded with the political implications that would inevitably be involved with assigning blame for a cyber-attack at a large scale. What if the opinion of an insurer’s cybersecurity attribution expert differs from the assessment released by a country that was victimized by the attack?

Additionally, the bill for an insurer to assert that there is no coverage in the event of a large-scale cyber-attack could rapidly escalate. Consider how expensive it would be to retain expert witnesses that can convincingly identify the culpable parties to enable a coverage denial for an insurer, and then multiply that by the number of policyholders desperate for indemnity in the aftermath of a systemic cyber-attack.

While the peril was different, COVID-19 business interruption claims could offer a benchmark for what could be on the horizon. Even with exclusions in place in many cases, the number of lawsuits filed by policyholders seeking coverage for claims resulting from COVID-19 is over 2,300, according to the University of Pennsylvania Carey Law School’s COVID Coverage Litigation Tracker. It stands to reason that there would be just as many – if not more – policyholders seeking coverage in the event of a massive cyber-attack.

Ultimately, while these questions and considerations arise with respect to a specific provision as part of an LMA draft clause, the issue of attribution and cyber risks in general is one that all risk management professionals may want to think about.

David Geller

Profile picture for user DavidGeller

David Geller

David Geller is a product and compliance specialist at Obsidian Insurance Holdings, a program insurance fronting platform.

Geller’s experience has crossed through a number of functions, including claims, underwriting, compliance, product development and product strategy.

For three years at ISO, Geller was focused primarily on the emerging risk environment, publishing numerous articles, speaking at industry conferences and developing product solutions to help the insurance industry stay ahead of the most important emerging risks.


Read More