Microsoft’s recent attack, SBCA, CBI/DBI, Swans, and Cables
Charles Perry, Head of Cyber, Berkley Specialty London
On the 12th of January, 2024 Microsoft announced that it had detected a “nation-state attack.” Moreover, Microsoft publicly attributed it to Russia and emphasised the urgent need to move faster to counter continuous risks from well-resourced nation-state threat actors.[i]
While there has been no apparent catastrophic disruption, the attack provokes thought about the ever-increasing complexities and challenges of modelling and managing a profitable portfolio of cyber risk in a world where technological advancements are outpacing us (think AI). In the context of a world with very fragile and heightened geopolitical tensions, and immeasurably interdependent supply-chains, there are two topical, inextricably linked, and over-lapping issues for the cyber insurance market. The first is nearing the end of its drawn out embedding; the second has quietly crept into coverage while all eyes have been focussed on the first, to the extent many portfolios may unknowingly become blindsided by their exposure.
State Backed Cyber-Attacks (SBCA)
First, SBCAs. Microsoft’s announcement and attribution is interesting given the turbulent introduction of the Lloyd’s Market Association’s war clauses. While this purported state-backed Russian attack continues to develop, the event may provide a useful scenario for stress-testing the modernised clauses. Was it just a warning shot or was it intended to have a catastrophic impact? Either way, impact assessments (such as Realistic Disaster Scenarios) can help steer a portfolio of cyber risk towards (increased) resiliency.
Contingent Business Interruption (CBI) / Dependent Business Interruption (DBI)
Second, Microsoft clearly has a huge market share. Put to one side bargaining power, a vast number of businesses in the world simply depend on its products and services in one way or another, knowingly or unknowingly (scheduled or unscheduled within a cyber policy). In this competitive landscape, there have been notably increased line sizes and broader coverage for CBI and DBI. Microsoft’s attack therefore poses a question about to what extent the exposure was being sufficiently monitored and managed by(?) the cyber insurance market, particularly with the increasing use of facilities to place cyber risk in the market. Eyes-wide open or hit and hope?
Swans and cables
The term “Black Swan” (popularised by Nassim Nicholas Taleb) is often used to describe an event that is extremely rare, has a major impact, and is unpredictable or unforeseen. The less commonly used term “White Swan” refers to one that is rare and potentially significant but is foreseeable and predictable. In The Dark Cloud (2023), Guillaume Pitron points out that “99% of the world’s data traffic travels not through the air, but via cables that are beneath our feet and at the bottom of the sea.” Even though Pitron’s book is primarily an exposé of the “cloud” and its environmental cost to the world, Pitron also gives a perspective about this undesirable exposure and potential for cascading failures, particularly in a data-reliant world where most data is transmitted by approximately 529 cable systems and 1.4m kilometres of cable (TeleGeography[ii]). Microsoft’s recent attack should therefore help steer the cyber insurance market towards better understanding and management of the exposures that come with a portfolio of cyber risk, and helping to ensure portfolios are prepared for and resilient to whatever swan it may be.