It was widely reported last week that Russia launched cyberattacks against several Ukrainian financial services firms, government websites and media outlets.
While details of the attacks are still emerging, concerns have been raised globally on two fronts: the potential for attacks to spread to networks beyond Ukraine, intentionally or not; and whether Russia will take direct aim at Ukrainian allies.
The potential for cyber threats to global organizations is compounded by the fact that Ukraine has emerged as a major provider of critical information technology services in recent years.
What we know about the attacks
The Wall Street Journal reports that wiper malware — known as HermeticWiper — was reportedly deployed on February 23, 1 the same day the Kremlin launched air and land attacks against parts of Ukraine. The malware is designed to erase data from the systems it targets.
In addition, researchers indicate that a massive distributed denial of service (DDoS) attack also disabled the websites for Ukraine's defense and foreign ministries, the Council of Ministers and Ukraine's largest commercial bank.
Ukrainian residents also reported what appears to be a misinformation campaign, indicating they received fake text messages saying ATMs in the country did not work. 2
U.S. Government Advisory
In response to the Russia-Ukraine conflict, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued its Shields Up advisory, with technical guidance for strengthening cyber security in the face of increasing cyber threats. The guidance is aimed at corporate leaders and includes specific advice to empower chief information security officers in senior leadership discussions, lower thresholds for reporting suspicious activity and support business continuity efforts by practicing incident-response plans.
While there is no evidence of a specific or credible threat against the U.S., CISA's Shields Up advisory provides the following best practices for preventing, detecting, mitigating and responding to potential attacks:
Reduce the likelihood of a damaging cyber intrusion
- Validate that all remote access to the organization's network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities CISA identified.
- Confirm that the organization's IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA's guidance.
- Sign up for CISA's free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
Take steps to quickly detect a potential intrusion
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging, to better investigate issues or events.
- Confirm that the organization's entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
- If working with Ukrainian organizations, take extra care to monitor, inspect and isolate traffic from those organizations; closely review access controls for that traffic.
Ensure that the organization is prepared to respond if an intrusion occurs
- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
- Assure availability of key personnel; identify means to provide surge support for responding to an incident.
- Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
Maximize the organization's resilience to a destructive cyber incident
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization's network is unavailable or untrusted.
Leveraging cyber insurance
Cyber insurance and other insurance policies may help organizations that believe they were victimized by cyber threat actors. Many standalone cyber policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts.
Organizations with cyber insurance should be mindful of claim reporting obligations, requirements to use insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.
Navigating the cyber insurance market
As our clients navigate the cyber insurance application process and policy renewal cycle, they should be aware of the rapidly evolving cyber insurance products which may impact the scope of insurance coverage. The war in Ukraine is likely to accelerate cyber insurers’ recent focus on the War Exclusion.
Our earlier article about the war exclusion clause noted the wide variance in the wording of cyber insurance policies' war exclusions and that small wording differences can have big effects on coverage.
A recent judicial decision involving the war exclusion in a property policy sharply illustrates the importance of policy language. The court rejected a coverage denial for the NotPetya attack — a decision that could cost the insurers more than $1 billion. The court interpreted some of the war exclusion's looser, more ambiguous language ("hostile or warlike action") as applying solely to traditional kinetic warfare.
While the decision involved a property policy, the relevant language is common in cyber policies as well. Cyber insurers will likely revisit their war exclusions and consider tightening the wording to narrow coverage out of concern that broad-based attacks governments instigate could cause the insurers catastrophic losses. A few cyber insurance markets — the Lloyd's Marketing Association most publicly — have already revised their war exclusions to restrict or eliminate coverage for State-sponsored cyberattacks. The recent NotPetya decision, especially in light of the war in Ukraine, will almost certainly accelerate that trend.
The hardening 2022 cyber insurance market has spurred cyber insurers to use various methods to reduce their cascading losses, including restricting coverage. Some of those restrictions have been direct and obvious, others indirect and subtle.
Changes to the war exclusion have generally been indirect and subtle, with unpublicized, seemingly minor wording tweaks that can have significant impact. Insureds should be aware, for example, that having a cyberterrorism carve-back to the war exclusion does not necessarily protect them in these kinds of attacks: coverage depends on the specific wording.
Changes to the War Exclusion have generally been in the latter category, with unpublicized, seemingly minor wording tweaks that can have significant impact Insureds should be aware, for example, that having a "cyberterrorism" carveback to the War Exclusion does not necessarily protect them in these kinds of attacks – coverage will depend on the specific wording used.
The events described above are a reminder that buyers of cyber insurance must remain both vigilant and nimble in detecting and responding to insurers' multi-pronged efforts to narrow the scope of their coverage.