A paper from re/insurance broker Capsicum Re explores attribution in cyber warfare

Cyber War

Traditional insurance market definitions need a reboot to embrace the reality of cyber as a hybrid war peril, and the market faces uncertainties around whether cyber-attacks should be indemnified despite lacking clear attribution, according to a new paper published by Capsicum Re.

The reinsurance market should take the lead in a debate about definitions that the insurance sector has so far largely avoided, the reinsurance broker suggested in its report “Cry cyber and let slip the dogs of war”.

To ignore the inadequacies of the status quo is to encourage a rise in legal disputes about whether cyber cover can be used when attacks that border on warfare take place, and while attributing blame remains hard to prove.

“In the cyber space it is extremely difficult to attribute aggressive behaviour without doubt and even more difficult to pinpoint motivation,” said Anthony Cordonnier head of cyber product management, Swiss Re and chair of the International Underwriting Association’s cyber reinsurance committee.

“This in turn has led to difficulties in enforcing war exclusions in a fair manner. It is incumbent upon the insurance industry to demonstrate that it is not seeking an ‘easy way out’,” Cordonnier warned.

“Instead, we should be deploying our efforts to strive for contract certainty, and adapt war exclusions to reflect the realities of the modern world,” he added.

Attribution problem

Capsicum’s paper focused on exploring issues of attribution in the context of war and cyber.

“We believe that attribution presents the most uncertainty in the re/insurance of risks exposed to the cyber peril,” the paper said.

Even where a recognised ‘state of war’ exists, attributing specific cyber attacks to an aggressor may still present a challenge, Capsicum warned.

Acts of war, acknowledged as such, are typically uninsurable, making attribution in the event of a cyber-attack a focal point for insurers mulling indemnity for a claim.

If the market opts to refuse or reduce cover for state-sponsored attacks, whether proven, claimed, or otherwise suspected, the heads of cover would be of far less value, Capsicum cautioned.

“This is especially perilous to the emerging cyber insurance marketplace whereby the effect would be much the same if cover was limited or refused for attacks perpetrated by organised crime syndicates, the paper said.

A definitive line must be drawn between insurable cyber losses and uninsurable acts of war, the broker said.

To this end, Capsicum suggested the concept of an “Attribution Line” – after which point an attack could be excluded (see image from Capsicum’s report).

Attribution line

The single critical requirement that must be fulfilled for an attack to cross the attribution line is that the responsible party must be identifiable, the report emphasised.

“Due to the well-known difficulties around attribution, cyber-attacks are currently very low consequence (and therefore very appealing) endeavours for states wishing to do harm to their enemies,” said Devin Page, head of specialty, Hiscox Re.

“The insurance and reinsurance communities must work together to prepare for the eventuality of cyber war by proactively creating fit-for-purpose exclusions that appropriately ring fence the loss potential to ensure the long-term sustainability of the market,” he said.

Ante bellum

The status quo for cyber war is unclear and needs revising – and reinsurance should lead the debate – towards best practice and a ‘fit for purpose’ risk transfer market for cyber risks, the paper urged.

The report stated: “If the challenge of attribution prevents the market from clearly delineating between state-sponsored attacks and simple criminal or otherwise-malicious cyber events, then we are duty bound as a re/insurance market to focus on redefining what constitutes an ‘act of war’ and a ‘state of war’ in the context of ‘cyber as a peril’.”

Ian Newman, global head of cyber, Capsicum Re, commented: “Cyber is a peril, not just a class of business.

“The risk landscape has evolved and the historically well-defined line between excluded acts of war and otherwise covered perils has become blurred in the context of cyber.

“As a market it is our duty to redefine the boundaries to ensure that we are able to continue to provide certainty of cover to our clients,” said Newman.

Cyber Venn Diagram

The paper suggested removing existing war exclusions.

“Nonetheless, in the absence of a dedicated cyber war market, and until markets such as Lloyd’s and the large European reinsurers are prepared to accept cyber war risk onto their balance sheets, some form of cyber war exclusion will always be required by the re/insurance market,” said the paper.

The paper suggests rewriting them for cyber.

Capsicum lists “weaponised non-physical assets, for example covert, coded intelligence networks, and internet infrastructure, such as cloud service providers and their associated server farms”, as legitimate targets within the bounds of modern warfare.

The paper alludes to hybrid warfare in Ukraine, questioning at what point state-sponsored attacks become war.

“Prior to this point, hostile acts are simply that. The cyber reinsurance market should be prepared to provide reinsurance protection on this basis,” Capsicum said.

The broker proposes a “fresh look option” to avoid traditional insurance-led definitions of war as well as potentially misleading and ambiguous references to cyber terrorism and focuses on the issue of attribution.

Cyber terrorism is also an obsolete as a useful term already, the paper’s authors argued, noting that cyber terrorism write-backs contradict war exclusions in “almost all” original policies.

“Furthermore, with direct reference to our ‘grey band of attribution uncertainty’, we argue that the term [cyber terrorism] itself is irrelevant in the context of delineation of insurable cyber-attacks and uninsurable ‘acts of war’,” said the report.

The reinsurance should lead the debate to come, the paper urged.

“Cyber-insurance markets are yet to clarify what they offer by often failing to adequately include or exclude cover for war; we suggest that the reinsurance market has an opportunity to determine what the exclusion and coverage should look like,” the report said.

“Finally, we believe it is the reinsurance market that now has the opportunity to drive advancements and instil good and appropriate market practice, not just in relation to the issues of war, but in all aspects associated with the preeminent cyber threat,” concluded Capsicum.