The Russia-Ukraine conflict has seen cyber warfare enter the mainstream, with both sides using hacking tactics. The risk of spill-over into businesses not directly involved in the situation remains a possibility. As has happened in the past with attacks like NotPetya in 2017, a business doesn’t have to be the intended target of an attack to feel its effects.
Therefore, it is vital that businesses review their existing backup strategies and Cyber Incident Response Plans or they risk getting caught in the cyber crossfire. This is especially important because organisations cannot rely on cyber insurance for protection against any losses that occur as a result of the conflict.
In 2017, NotPetya ransomware was used by Russia to target Ukraine. Although it was aimed at a country, it had a massive impact on companies around the world including international advertising business WPP, pharmaceutical company Merck, Danish shipping firm Maersk and many others.
The usual intention of a ransomware attack is profit: it aims to paralyse a business and force it to pay to operate again. This wasn’t the case for NotPetya – its purpose was disruption.
NotPetya took advantage of a vulnerability in Microsoft Windows systems that had not installed an important security patch. It encrypted users’ data and left no way for it to be retrieved. In its annual report, Merck reported the attack cost the business nearly $915 million.
This is the risk that businesses around the world, unconnected to the conflict face.
Cyber insurance is no longer a protection for businesses dealing with collateral damage from the conflict.
Cyber insurance (like many other types of insurance) excludes acts of war from coverage. Insurers refused to pay out on claims from Merck and Mondelez after NotPetya. These refusals have been contested and recently, a court in New Jersey ruled in favour of Merck. It found that the exclusion clause applied to armed conflict rather than cyber warfare.
While Merck was awarded $1.4 billion in this legal dispute, insurers have since updated their cyber war exclusion clauses to ensure they don’t pay out on similar attacks. In particular, Lloyd’s of London published its Cyber War and Cyber Operation Exclusion Clauses in late 2021 to exclude “any loss, damage, liability, cost or expense of any kind…directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation.”
Bolstering your cyber defences
The National Cyber Security Centre (NCSC) has good advice for what organisations should be doing to improve security when the cyber threat is heightened.
Preventing an attack altogether is obviously preferable but it is not always possible. Rapid detection and response can significantly limit the damage and minimise the scale of the recovery effort.
Further, it’s important to review your backup and recovery strategy and your Cyber Incident Response Plan. Advanced ransomware attacks will now either target backups directly or will wait to detonate in order to outlast shorter backup retention policies. Make sure you have enough historic versions of your data to restore from and can quickly recover to minimise your downtime.
Next, make sure your backups are isolated and air-gapped, so there is no way an attack could impact both your live systems and your backups.
Finally, look at how you would detect an attack and how quickly you can respond to isolate systems. The faster you can react to cyber threats the better, because you limit the damage and make the recovery easier. Cyber incidents have rapidly become the leading cause of data loss. From cyber crime to cyber warfare, organisations need to adapt quickly to stay resilient in the face of these new threats.