What we know about the cybersecurity risks arising from the Ukraine, steps UK organisations should consider taking now, the insurance position and novel issues that might arise from Ukraine-linked cyber attacks.
What has been happening?
A few weeks into the war in Ukraine the cybersecurity implications for companies in the UK remain unclear, but some trends are emerging:
- Initial state sponsored activity seems purely to be targeted by Russian groups at Ukraine and vice versa. We have also seen the re-emergence of “hacktivist” activity (i.e. politically motivated attacks by individuals or ad hoc groups) aimed primarily at Russian interests.
- There was widespread alarm when one of the most prolific ransomware organisations, Conti, made public statements that they would launch “retaliatory” attacks in response to attacks on Russian critical infrastructure. However since then, a number of other hacker groups have made statements confirming that they have a neutral stance on the conflict (possibly due to concerns over the insurance implications of such statements – see below).
- There is a widespread expectation that attacks outside Ukraine will become more widespread if the conflict is not resolved quickly and western sanctions remain in place. In the UK the National Cyber Security Centre (NCSC) and Government Communications Headquarters (GCHQ) have urged companies to exercise heightened vigilance. Attacks are thought likely to be directed primarily at critical infrastructure and other targets likely to cause maximum disruption, such as the SWIFT payments system.
- A particular area of concern is the risk that attacks will be focused primarily on causing maximum damage using destructive “wiper” malware. This was the approach adopted in previous attacks against Ukraine linked to the Russian GRU intelligence agency including the well-known NotPetya malware in 2017 which is said to have caused losses in the region of $10bn to global companies. In the current crisis, researchers have identified attacks using a new “HermeticWiper” malware. These attacks pose additional risks for businesses as, once the malware has access to their systems it is difficult for threat monitoring software to identify and isolate the malware before considerable damage has occurred.
So, whilst we are not seeing much cyber fallout from the Ukraine situation at the moment, there is a great deal of understandable anxiety about what might happen next.
What can businesses do to prepare?
Current, industry and official guidance is to exercise heightened vigilance and, where possible, prioritise cyber security considerations over other competing business interests. This might include steps such as devoting additional internal resources to cyber security activities such as patching and increasing the verbosity of logging, notwithstanding storage considerations.
From a legal perspective, steps can include providing input into the adequacy of incident response plans and procedures, carrying our preparedness exercises, and reviewing supplier relationships to consider whether security concerns arise from those relationships and/or there is particular dependency on suppliers in high-risk industries/locations.
Can I get cyber insurance/will my policy pay?
The cyber insurance market was extremely hard even before the Ukraine crisis. Underwriters have very little appetite to accept claims directly related to the current geopolitical uncertainty. However, coverage for routine cyber risks remains available and is likely to still respond to many attacks attributable to Russian hacker groups which are not directly linked to the state.
Existing policies will contain war exclusions. Depending on the wording of the exclusions, there may be arguments that attacks by hacker groups linked to nation states fall within the scope of war exclusions. This argument was recently run unsuccessfully in the US in Merk v ACE, a case involving a claim for destruction of data under an all risks policy arising from the NotPetya malware, which had been attributed to the Russian GRU by the Ukrainian, US and UK governments. However, given the less insured friendly approach adopted by the English courts, it is possible that traditional war exclusions may come into play for claims involving attackers who are clearly affiliated to a nation state.
Driven by the unprecedented claims arising from NotPetya, more recent policies often contain specific language dealing with the risks of hacking linked to nation states. For example, in December 2021 the Lloyd’s Market Association (LMA) released four clauses which tried to address the problem of attribution of claims arising from a “cyber operation” by a nation state. These clauses provided various levels of cover from excluding liability completely to providing cover for damage caused outside the targeted state and/or sub limits for liabilities arising from less serious attacks. Interestingly, the policies deal with the question of attributing the source of the attacks by giving primacy for designating of the source of any attack on the government of the state which is the victim.
Many of these newer wordings are relatively untested and there is likely to be plentiful scope for disputes surrounding attribution (e.g. whether the attach can be linked to a stat actor), causation (e.g. if malware affects unintended targets or ones outside the jurisdiction in question, is it still part of the same attack? What if it is misused by other entities?) and aggregation (e.g. if an organisation is hit by many attacks forming part of the same campaign is that one claim or several?).
What are the legal issues if I do have a problem?
Attacks linked to the current crisis are likely to give rise to similar issues to the ransomware attacks many organisations will have become familiar with such as crisis management, regulatory notifications and investigations, consumer notifications and follow-on data subject and third-party litigation risk. However, some specific points arise from the current situation:
- Although attacks involving wiper malware are unlikely to involve the exfiltration of personal data, if personal data has been destroyed, it will still be necessary to carry out a risk-based assessment to determine whether it is necessary to notify the Information Commissioner's Office (ICO), other regulators and data subjects.
- For attacks using more conventional ransomware (such as the 2017 BadRabbit attack, which was also linked to the GRU) payment of a ransom will not be an option due to sanctions. Even where attacks are not attributed to a nation state attack, the current sanctions regime still means that careful thought will have to be given to the potential impact of sanction on both the malware group and the wallet used to affect payment.
- Victims of disruptive attacks which can be attributed to the Ukraine situation should give careful consideration to war and other force majeure provisions in their commercial contracts both when assessing their liability exposure, if they are unable to perform contracts due to cyber attack or they are seeking compensation from third-party suppliers who the consider to be culpable.