Since the start of the war in Ukraine, fears of cyber-attacks due to parallel hybrid war are increasing. In this article we explain how the insurance industry is reacting and how the war clause affects conditions.

Is there an increased cyber threat from the war in Ukraine?

Officials like the German BSI are currently assuming an “increased threat level”. However, there is currently no immediate threat to information security in connection with the situation. However, there are already suspicions of individual cyber-attacks in connection with the war. The German wind turbine manufacturer Enercon, for example, was no longer able to carry out remote maintenance on its own systems. The reason for this was a disruption in the satellite network.

How are cyber insurers reacting?

Immediately after the outbreak of the war, our cyber specialists contacted cyber insurers in order to know their reaction. The general feedback was that the situation was being assessed and, especially in the area of critical infrastructure, that decisions will be taken with even more restrictions.

Does the war exclusion clause apply?

Cyber insurances usually have so-called war exclusion clauses, according to which damage caused by war or war-like events are not insured. The classic exclusion of war means that there is generally no coverage in the case of a targeted action by an attacking state using physical force.

If the cyber-attack is originated by so-called state sponsored hacker groups, there is no direct-targeted action by an attacking state, and therefore no war in the sense of the definition. In addition, Russia is at war with Ukraine and not with other countries, a point to be considered when insurance wordings are interpreted. Even if a cyber-attack on a company is directed by a state, this is still no official war action. It is the insurer who must provide evidence that the cyber-attack is originating from a state if he thinks that the exclusion is applicable. It will be very difficult for the insurer, however, to prove such a fact, because hackers usually do not announce that they are acting for a government.

How about the ransom payment?

Ransomware cases are currently the No. 1 cyber threat. Access to data or services is blocked and a ransom is demanded for activation. The ransom payment is generally insurable. If the blackmailers are Russian hacker groups, policyholders must expect that the insurers will not make any payment without a positive sanctions and compliance check. Due to the extensive sanctions against Russia, ransom payments to Russian hacker groups are usually subject to sanctions and insurance payments are therefore contractually and legally prohibited.

Source:  Stephan EberleinWar in Ukraine and Cyber insurance (March 23rd, 2022), URL: (March 24th, 2022)