Client Advisory: Cyber Alert – Russia / Ukraine Conflict

Check your cyber insurance policy and incident response plan

March 2022 

With the increased risk of cyber attacks on U.S. companies following the Russian invasion of Ukraine, McGriff recommends that businesses review their incident response plans and cyber insurance policies. In this advisory, we will highlight a few of the most critical warnings and concerns and provide general context for you and your executive management to consider from an insurance perspective. As always, promptly direct any questions about your risks and current insurance coverages to your McGriff team.

Updated Office of Foreign Assets Control (OFAC) Guidance

As reported by CNN, minutes after President Biden announced new sanctions on Russian banks and elites on Feb. 22, a senior FBI cyber official asked U.S. businesses and local governments to be mindful of the potential for ransomware attacks. David Ring went on to say that Russia is a "permissive operating environment for cybercriminals – one that is not going to get any smaller" as Russia's confrontation with the West over Ukraine continues and further sanctions are announced. Disclosure 1 1 https://www.cnn.com/2022/02/22/politics/russia-sanctions-fbi-cyber-threats-ransomware/index.html

Scott Ferber, a partner at McDermott Will & Emery, LLP and member of the firm’s Global Privacy & Cyber Security team, told McGriff that the Russia-Ukraine conflict creates unique considerations for ransomware attacks. U.S. persons generally are prohibited from engaging in transactions, directly or indirectly, with individuals or entities on the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons List, other blocked persons, and notably those covered by comprehensive country or region embargoes. On Sept. 2021, OFAC issued an Updated Advisory Disclosure 2 2 https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities. The advisory also provided proactive steps companies can take to mitigate such risks. Discuss with your breach counsel any OFAC implications resulting in a cybersecurity incident.

The federal government is waging an all-out offensive against ransomware OFAC sanctions. As noted in the Updated Advisory: “This is creating a tricky minefield in which entities who pay a ransom, or are involved in paying one (such as financial institutions, cyber insurance firms, and digital forensics and incident response firms), could violate OFAC regulations, resulting in a significant civil money penalty (CMP) on top of the reputational and financial fallout from the ransomware attack itself. Considering that 2021 OFAC CMPs totaled $20.9 million, including six fines over $1 million, now is the time for organizations to redouble their OFAC compliance efforts. The same is true for their cybersecurity measures, as the Financial Crimes Enforcement Network (FinCEN) reported $590 million worth of ransomware-related suspicious activity in the first six months of 2021, well over the $416 million reported in all of 2020.” Disclosure 2 2 https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf

And as noted in a white paper from cybersecurity firm CSI: “OFAC specifically noted that financial institutions, cyber insurance firms and digital forensic companies could be at risk of sanctions violations when facilitating a ransom payment. OFAC has designated several known malicious cyber actors for sanctions, including the developers or sponsors of the Cryptolocker, SamSam, WannaCry 2.0 and Dridex ransomware. OFAC has also designated a virtual currency exchange known to facilitate ransomware payments. When determining OFAC sanctions violations, certain factors can mitigate the punishment: a) A risk-based OFAC compliance program, b) Strong cybersecurity practices that reduce ransomware threats, c) Reporting the attack to law enforcement and cooperating with the same.” Disclosure 3 3 The Dangerous Intersection of OFAC and Ransomware, CSI @ www.csiweb.com

Ferber recommends that if a ransomware attack occurs, companies should take several steps to manage enforcement risk. This includes analyzing forensic and other evidence, prior to making a payment, to evaluate whether there is a potential nexus to a prohibited person or entity. In particular, organizations should investigate threat actor background through open source channels, institutional information that a retained digital forensics or incident response firm may have on the threat actor, geolocation of IP addresses and infrastructure that the threat actor uses, and whether any identifiers appear on OFAC lists. Organizations must confer and coordinate with their breach counsel regarding the threat actor investigation, as well as engage with law enforcement, assess OFAC risk, and work with insurers on a request for ransomware payment preauthorization and reimbursement.

 -Ukraine Conflict

Be mindful that even if your cyber insurance policy could provide coverage for costs incurred from ransomware attacks, additional terms and conditions could apply that would impede an Insurer from reimbursing an Insured for such an expense. Please discuss this and other implications with your McGriff team.

Threats Escalate

Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA), posted on Twitter, “While there are no specific threats to the U.S. at this time, all orgs must be prepared for cyberattacks, whether targeted or not,” citing the 2017 NotPetya attack that brought commerce to a halt and caused billions in damage for corporations around the world.

Kimberly Horn from cybersecurity group Unit 42 advised McGriff that Conti had posted a warning on its website declaring that they were “officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of the enemy.”

To help prepare organizations of all sizes, CISA launched “Shields Up,” a program to help organizations prevent, detect, and minimize the impact of cyber events. Cybersecurity firms working closely with the insurance industry advised businesses to protect themselves by reviewing their business continuity plans and ensuring the fundamentals of cybersecurity are in place, including up-to-date patching programs, endpoint threat detection, antivirus programs, and multi-factor authentication. Disclosure 4 4 https://www.advisen.com/tools/fpnproc/news_detail3.php?list_id=35&email=sgladle@mcgriff.com&tpl=news_detail3.tpl&dp=P&ad_scale=1&rid=423806470&adp=P&hkg=F6lfLj9jqR

The FBI, CISA, the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. Disclosure 5 5 [Note: MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros] For further information, go to Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA @ https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

Prepare & Remain Vigilant

Dustin Owens from Kivu Consulting told McGriff, “Kivu has been monitoring a rise in tensions from different parts of the world in recent weeks which indicate strong potential for an increase in cyber attacks.” In order to help protect organizations, Kivu strongly recommends increasing cyber awareness within your organization to include heightened attention to monitoring of security events, ensuring employees remain diligent in identifying and reporting suspicious looking emails, and in conducting regular surveillance of Internet-facing devices to identify and quickly patch vulnerabilities. “Cyber attackers are looking for the easiest path into an environment, so the harder you can make it for them to gain a foothold, the more likely that they will turn their attention to other companies who are now easier targets,” said Owens.

Meredith Griffanti with FTI Consulting, recommended, among other things, that as part of the preparations for a potential cyber incident, to: Build Redundancy into Communications Infrastructure. “Cyber attacks, particularly ransomware, are designed to disrupt an organization’s most vital functions – including traditional communications methods used to contact internal and external stakeholders,” said Griffanti. “Building redundancies into pre-existing communications processes before an attack occurs can help organizations take a front-footed approach to engagement with employees, customers and partners, and the public sector even when traditional communications channels are offline. This includes, but is not limited to, developing and maintaining backup contact information lists for customers, business partners, and employees, and regularly testing and training teams on ‘out of band’ emergency communications tools,” she added.

Griffanti further advised to Designate Stop-Work Authority for “organizations that have expansive operational footprints presenting threat actors with a wide attack surface. To mitigate the impact of an attempted attack aimed at disrupting Operational Technology, organizations should clearly designate those employees, contractors, or site managers with the authority to disconnect an office, production facility, specific system, or operating region from their network. Exercising stop-work authority in the early stages of an attack can mitigate infection of Operational Technology and prevent a largescale business disruption.”

The War Exclusion: Now and Later

As a reminder, a recent legal decision distinguished between cyberwar and “real” war. (Opinion, Merck & Co. v. ACE American Insurance Co., No. UNN-L-2682-18 (N.J. Super. Ct. Law Div. Jan. 13, 2022). Several years ago, the U.S. Department of Defense had determined that computer sabotage could be considered an act of war, but it did not specify which types of cyberattacks it included. To date, no clear consensus has emerged about what constitutes cyberwar or how it should be defined. That’s how the pharmaceutical company Merck ended up suing its insurer, with the judge ruling that the Acts of War clause did not apply in the NotPetya ransomware attack.

The U.S. and several other countries contended that Russia was responsible for launching the NotPetya attack to destabilize Ukraine. Merck was among the many impacted organizations and reportedly suffered damage to its computers, and costs of more than $1.4 billion. Merck’s property insurer argued that the war exclusion applied because Russia released NotPetya as part of hostilities against Ukraine. Merck challenged whether the war exclusion applied to cyberattacks at all. The Merck decision shows that courts will not easily be swayed by insurers’ attempts to deny coverage for cyberattacks based on the war exclusion. At no point did the court even suggest that the insurers’ interpretation was reasonable.

Cyber policies differ considerably in their war exclusion language and during the soft market, some policies benefitted from broad definitions of “cyber terrorism,” including acts of cyber terrorism carved back from the traditional war exclusion. Insurers are likely to assert that the war exclusion applies to certain state-sponsored cyberattacks, especially if such attacks are conducted as an extension of war or in retaliation for hostile acts.

The Lloyd’s Market Association has published several model war exclusions for cyber insurers to use in clarifying coverage intent for cyber-related incidents. (“Don’t panic about cyber insurers pulling up the drawbridge, says Lloyd’s,” The Register, (December 9, 2021), theregister.com/2021/12/09/lloyds_lma_cyber_insurance_clauses). Although such modifications may help insurers distinguish the Merck decision, they are unlikely to put an end to disputes over the war exclusion.

New controversies are bound to arise over the interpretation of the new terminology and how it might apply in an events such as the current conflict.

McGriff policyholders should consult with their brokerage service team to address current exclusions, consider various loss scenarios, and determine if other steps are needed.

For questions about this advisory, please contact:

Natalia Santiago, JD
SVP and Claims Manager
713.402.1410
nsantiago@mcgriff.com

Suzanne Gladle, ARM
SVP, Cyber Practice Leader
315.750.6010
sgladle@mcgriff.com

To learn more about McGriff Executive Risk Advisors, please contact:

Kieran P. Hughes, JD
Senior Vice President, Senior Claims Counsel
Executive Risk Advisors
404.497.7515
Kieran.hughes@mcgriff.com

David Sellars
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7582
dsellars@mcgriff.com

Dusty Cahill
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7537
dcahill@mcgriff.com