Insurers could consider Russian cyberattacks an act of war and not pay out

Insurers may not cover Dutch companies for damages caused by a cyberattack from Russian hackers. Insurers could label such attacks as an act of war so that they do not have to pay, experts in the field of cybersecurity and insurance said to BNR.

"If a virus comes from Russia, is aimed at Ukraine, and causes damage in Western Europe, there is a good chance that insurers will say: that risk is not ours," Job Kuijpers, CEO of cybersecurity company EYE and former director of cybersecurity at intelligence service AIVD, said to the broadcaster. "You enter a gray area in which it is unclear what insurers will do."

He added that the dividing line is also thin if Russian hackers directly attack Dutch companies. "Sometimes they work for the government, other times they work for themselves. When is it warfare, and when is it a purely criminal act?" A court will have to rule on that, Kuijpers said.

Dave Maasland of IT security company ESET agrees that it is difficult to determine what is an act of what and what is not. "It is precisely this uncertainty that makes it difficult for companies," he said to BNR. Maasland thinks that sanctions against Russia could cause an increase in cyberattacks. "It raises our risk profile. If you want to hit us from a distance, digital attacks are a handy method that you can hide behind."

Marie-Louise de Smit of risk and insurance advisor Aon confirmed that cyber insurance policy conditions often state that war situations are excluded. But she added that many insurers make an exception for cyber terrorism. "Then it states that there is no cover for damage resulting from war operations unless it concerns cyber terrorism."

Cyber expert Tom Rijgersberg of Meijers Assurantien thinks that if the number of attacks continues to increase, insurers will likely "protect themselves more by introducing additional clauses that exclude cover."