If You’re Hacked, You May Not Have a Claim

State-sponsored cyber aggression is becoming unmanageable for an industry designed to protect customers against the pursuits of common criminals. “For a while insurance payouts in cyber weren’t really that high,”

Ciaran Martin,

the founding CEO of Britain’s National Cyber Security Center, said in an interview. “Then came ransomware, GDPR legislation and major attacks like NotPetya. Cyber insurance went from being much like any other insurance policy to being one with massive payouts and companies talking about systemic risk.”

In January a New Jersey judged ruled that U.S. pharmaceutical giant Merck, one of NotPetya’s victims, was entitled to a $1.4 billion payout. Its insurer, ACE American, had argued that since Western governments had attributed NotPetya to the Russian government, it counted as a warlike act and wasn’t covered as per the War or Hostile Acts exclusion.

Cyber isn’t the only threat companies face from hostile state actors. Consider the Lithuanian companies whose exports to China were blocked from Beijing ports in retaliation for Vilnius’s decision to allow Taiwan to open a representative office. As the White House notes in its new National Security Strategy, “Beijing frequently uses its economic power to coerce countries.” Or consider the companies that felt compelled to leave Russia after

Vladimir Putin’s

invasion of Ukraine and incurred considerable losses by doing so. The German home-improvement chain Obi Baumarkt had to leave so quickly that it sold its Russian operations to local investors for next to nothing. Or what about the German, French and Dutch minority owners of Nord Stream 1 and 2? While outsiders can’t know the details of the firms’ insurance policies, the geopolitical sabotage of the pipelines is likely to cause a payout headache.

Insurance policies exclude war—but war is no longer easily defined. Today, geopolitically motivated aggression can appear in limitless guises, and private companies are often the targets. This uncertainty could render particular business practices uninsurable. And given the sums already lost by companies as a result of geopolitical aggression, governments are hardly in a position to compensate companies for every harm directed against them by hostile regimes or their proxies.

That doesn’t mean businesses have to be sitting ducks. After being crippled by NotPetya five years ago, Maersk, the Danish shipping giant, made a point of publicizing its steps to shore up its cyber protection. That turned its misfortune into a competitive advantage. The Czech Ministry of Defense last year launched exercises featuring gray-zone risks—aggression short of armed military violence—for the country’s private sector. “Gray-zone exercises should be a cornerstone of every responsible company’s risk management,”

Tomáš Kopečný,

the deputy minister of defense, who initiated the exercises, said in an interview. Such exercises “always reveal gaps in companies’ risk management. It also familiarizes them with other companies’ experiences and introduces them to the authorities and officials they need to know as gray-zone aggression increases.”

While other governments should follow the Czechs’ example, companies without access to such exercises can team up with other businesses to test their resilience. Businesses would also do well to re-examine the political risk of doing business in certain countries.

As geopolitical aggression intensifies, companies can make a virtue of being prepared. They should double down on cyber protection, especially since they can’t know beforehand whether an attack will originate with a foreign state or with criminals. But they should also publicly highlight their efforts, in speeches, interviews, marketing materials and annual reports. Demonstrating such preparedness will appeal to shareholders and customers and attract new ones.

Ms. Braw is a senior fellow at the American Enterprise Institute and an advisory board member for Gallos Technologies, a venture-capital firm that supports security technology companies.