The heightened cyber security threat from Russia

In advance of the Russian invasion of Ukraine, there was widespread concern of massive cyber “blow-back” from Russian cyber actors in response to any Western sanctions. The worst case scenario does not appear to have arisen so far, but the threat level has very materially increased. However, the threat from Russian cyberattacks on the Ukraine is not a new one, nor are the ramifications those attacks have on the rest of the world.

In 2015, after the Russian invasion of the Crimean Peninsula, suspected Russian hackers launched a large scale attack on Ukraine’s powergrid and managed to knock out electric power for around 230,000 people in western Ukraine.

On 27 June 2017, NotPetya introduced the world to a new era of cyber warfare. It began as an assault by Russia targeting electronics and computers in Ukrainian hotels, hospitals, government offices etc but it quickly affected the rest of the world, eating into multinational companies – resulting in a total loss of more than $10bn in damages.

Hours before Russia’s invasion of Ukraine, wiper malware, since named HermeticWiper, was deployed in attacks against multiple Ukrainian organisations. The following day IsaacWiper was launched against a Ukrainian government network. Despite IsaacWiper only being used in attacks from 24 February, researchers at cybersecurity company ESET have identified details in IsaacWiper’s code suggesting that it has been available since October, further implying that the attackers infiltrated the target networks some time before IsaacWiper was delivered.

There have been various smaller incidents of phishing campaigns targeting organisations trying to help Ukrainians fleeing the war and coordinated campaigns targeting US firms that supply natural gas. It is widely accepted though that all-out cyber war has not yet broken out.

Following Russia’s attack on Ukraine, the National Cyber Security Centre in the UK has called on organisations in the UK to bolster their online defences, providing guidance which outlines actionable steps that organisations should really be taking anyway such as making sure they have a well-tested disaster and recovery plan. The FCA, ICO and the Law Society have also given their own guidance.

What should you be doing right now?

Each and every organisation should be investing in the security of the individuals within their organisations as that is normally where the risk lies. The following action points are strongly recommended:

• ask staff to ensure passwords are unique to their organisation and not one they use across the internet;
• ensure contracts and staff handbooks communicate clearly how staff handle data and maintain security;
• encourage instant internal reporting and whistleblowing and ensure proper disciplinary sanctions are in place for those ignoring the policies and placing the organisation at cyber risk;
• check the incident response plan is up to date and test it to ensure it reflects the current situation;
• confirm the escalation routes and contact details are all up to date;
• ensure you know who to make notifications to eg regulators, individuals, shareholders, insurers; and
• understand the longer-term risks involved eg litigation risk.

Insurance considerations

A further consideration of the cyber-attacks is insurance. One of the companies whose computer systems were infected by NotPetya in 2017 was Mondelez, with its total damages estimated at more than $100m. However, when Mondelez filed a claim for those costs with its insurer Zurich, its claim was denied on the grounds that NotPetya was a warlike action and therefore excluded from its insurance coverage. Whilst the ensuing lawsuit remains undecided, insurance carriers and policyholders remain in a state of uncertainty about what types of cyberattacks their coverage does and does not apply to, and the application of ‘Acts of War’ exclusions and political risk insurance more generally. The Superior Court of New Jersey held in Merck & Co., Inc., et al. v. ACE Amer. Ins. Co., et al. that the Acts of War exclusions did not prohibit coverage for a cyberattack on the ground that the attack did not involve “traditional” warfare. However, the decision relies upon case law rendered before the Internet existed and before “cyber” was even a word indicating that the reasoning is backwards and may not be upheld. Until the Mondelez lawsuit is decided, policyholders should be aware of coverage gaps that may exist and should speak to their insurers about carving back these exclusions on the appropriate policies and/or consider purchasing Difference-in-Conditions policies to fill this gap in coverage.