Insurers have been tightening their war exclusions and clarifying attribution requirements, especially after the recent court win by Merck over reimbursement of its losses from 2017’s NotPetya malware attack. “However, in DBRS Morningstar’s opinion, attribution of cyber warfare remains a challenge because it places the onus on the insurer to demonstrate that a cyber incident was actually performed by a state actor or its
proxy in the absence of official confirmation from intelligence agencies in the targeted country,
which could take an impractical amount of time to obtain (this information may also never be
disclosed for security reasons). Nevertheless, we expect that insurers and reinsurers will continue to
clarify their cyber war exclusions to face the new realities of state-sponsored cyberattacks.
Although cyber insurance claims are likely to increase for the European and North American
insurance industry in the context of the Russia-Ukraine conflict, given the increasing sophistication
of cyber insurance underwriting, reduced limits and capacity, and the relatively low participation of
cyber insurance products in overall portfolios, losses resulting from cyber claims should remain
manageable for our rated insurers and reinsurers.”