The coverage of state-sponsored cyberatacks in Spanish insurance law
DOI:
https://doi.org/10.51302/ceflegal.2023.19019Keywords:
insurance, cyberattack, war, armed conflict, cyberwarAbstract
This paper has won the 1st Financial Studies 2023 Award in the category of Civil and Commercial Law.
The insurance industry has generally rejected the coverage of damage arising from armed conflicts since the mid-twentieth century. The main reasons lie in the theoretical unpredictability of these events, making it difficult to develop accurate actuarial models, as well as in their ability to cause massive damage in very concentrated periods of time, which can lead to excessive pressure on the solvency of insurers. As a result, it is common for certain policies to exclude damage caused by armed conflicts. In recent years, certain States have been sponsoring cyber-attacks against foreign targets as part of their geopolitical strategies. This has given rise to the debate on the consideration of these attacks as constituting armed conflicts and, consequently, on their coverage by insurers. Throughout this paper, we intend to analyze the treatment that state-sponsored cyber-attacks receive in Spanish law, where, as we will discuss, the exclusion of damages caused by armed conflicts, and other extraordinary events, is included in a legal norm.
Downloads
References
Banerjea, A. (2018). NotPetya: How a Russian malware created the world’s worst cyberattack ever. Business Standard. https://www.business-standard.com/article/technology/notpetya-how-a-russian-malware-created-the-world-s-worst-cyberattack-ever-118082700261_1.html
Banks, W. (2021). Cyber Attribution and State Responsibility. International Law Studies, 97. https://digital-commons.usnwc.edu/cgi/viewcontent.cgi?article=2980&context=ils
Barrero Rodríguez, E. (2000). El Consorcio de Compensación de Seguros. Tirant lo Blanch.
Bing, C. y Kelly, S. (2021). Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ Biden briefed. Reuters. https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/
Bonhome González, C. (2010). El Consorcio de Compensación de Seguros. En P. Blanco-Morales (Ed.), Estudio sobre el sector asegurador en España (pp. 213-235). Fundación de Estudios Financieros.
Caamaño Malagón, J. (2022). ¿Cómo funcionan los seguros en caso de guerra? Un recorrido por la Historia. Mapfre. https://www.mapfre.com/actualidad/seguros/como-funcionan-seguros-en-caso-de-guerra/
Centro Criptológico Nacional. (2021). Principios y recomendaciones básicas en Ciberseguridad. CCN-CERT. https://www.ccn-cert.cni.es/informes/informes-de-buenas-practicas-bp/2473-ccn-cert-bp-01-principios-y-recomendaciones-basicas-en-ciberseguridad/file.html
Comité Internacional de la Cruz Roja. (2008). ¿Cuál es la definición de «conflicto armado» según el derecho internacional humanitario? Comité Internacional de la Cruz Roja. https://www.icrc.org/es/doc/assets/files/other/opinion-paper-armed-conflict-es.pdf
Consorcio de Compensación de Seguros. (2018). La cobertura de los riesgos extraordinarios en España. https://www.consorseguros.es/web/documents/10184/35211/Cobertura_Riesgos_Extraordinarios/7c2721bf-890b-435c-8ffa-8c2a58fc664d
Cooper, J. (2022). Demystifying Common Clauses. Marsh. https://www.marsh.com/na/industries/energy-and-power/insights/energy-power-newsletter-q4-2021/demystifying-common-clauses-q4-2021.html
Council on Foreign Relations. (s. f.). Cyber Operations Tracker. https://www.cfr.org/cyber-operations/#Map
David, E. (2008). Principes de droit des conflits armés. Bruylant.
ENISA. (2022). ENISA Threat Landscape 2022. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022
García Barona, A. (1997). El Consorcio de Compensación de Seguros y los Riesgos Catastróficos. V Congreso Iberoamericano de Derecho de Seguros (tomo 2, pp. 401-411).
Geneva Association. (2020). Cyber War and Terrorism: Towards a common language to promote insurability. The Geneva Association. https://www.genevaassociation.org/sites/default/files/research-topics-document-type/pdf_public/cyber_war_terrorism_commonlanguage_final.pdf
Giménez, Ó. (2020). La banca impulsa la venta de ciberseguros a las pymes con la crisis del coronavirus. El Confidencial. https://www.elconfidencial.com/empresas/2020-05-11/banca-ciberseguros-pymes-teletrabajo-hackers-coronavirus_2586599/
González de Frutos, P. (1993). El Reglamento de Riesgos Extraordinarios. https://documentacion.fundacionmapfre.org/documentacion/publico/es/media/group/1030644.do
Greenberg, A. (2018). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. WIRED. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Henckaerts, J. M. y Comité Internacional de la Cruz Roja. (2016). Commentary on the First Geneva Convention: Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field (L. Lijnzaad, M. Sassòli, J.-M. Henckaerts, P. Spoerri, & K. Dörmann, Eds.). Cambridge University Press.
Hernando de Larramendi, I. y Caballero García, A. I. (1972). El Seguro y los actos de violencia cometidos contra una comunidad y que causan lesiones a personas y daños materiales: ponencia de la Sección Española de la A.I.D.A. IV Congreso Mundial de Derecho de Seguros.
Horrillo Muñoz, M. Á., Soriano Cavero, B. y Espejo Gil, F. (2020). Análisis de la siniestralidad de los riesgos extraordinarios del Consorcio de Compensación de Seguros 1995-2019. Consorseguros, 13, 4-18.
Insikt Group. (2019). The History of Ashiyane: Iran’s First Security Forum. Recorded Future. https://www.recordedfuture.com/ashiyane-forum-history
Jimeno Muñoz, J. (2019). Los ciber seguros y los efectos de los ciber riesgos en los seguros de responsabilidad civil. En Derecho de daños tecnológicos, ciberseguridad e insurtech (pp. 125-267). Dykinson.
Kaczorowska, A. (2015). Public International Law. Routledge.
Kovacs, E. (2018). U.S., Canada, Australia Attribute NotPetya Attack to Russia. SecurityWeek. https://www.securityweek.com/us-canada-australia-attribute-notpetya-attack-russia/
Lilly, B. y Cheravitch, J. (2020). The Past, Present, and Future of Russia’s Cyber Strategy and Forces. International Conference on Cyber Conflict (CyCon), 12, 129-155.
Martin, A. (2022). Mondelez and Zurich reach settlement in NotPetya cyberattack insurance suit. The Record by Recorded Future. https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit
Mazzuoli, V. d. O. (2017). Derecho internacional público contemporáneo (H. T. Baires Flores, trad.). Editorial Cuscatleca.
Microsoft. (2022). Microsoft Digital Defense Report 2022. Microsoft. https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bUvv?culture=en-us&country=us
Mosquera Blanco, A. J. (2022). La definición de terrorismo tras la Ley Orgánica 2/2015, de 30 de marzo. Cuadernos de Política Criminal. Segunda Época, 138, 199-243.
National Institute of Standards and Technology. (2019). Cyber Attack - Glossary | CSRC. NIST Computer Security Resource Center. https://csrc.nist.gov/glossary/term/cyber_attack
O’Connell, M. E. y Gardam, J. (2010). Final Report on the Definition of Armed Conflict in International Law. https://www.rulac.org/assets/downloads/ILA_report_armed_conflict_2010.pdf
O’Neill, P. H. y Milutinovic, A. (2009). Tecnología y Sociedad. Una persona fallece a causa de un ciberataque por primera vez en la historia. MIT Technology Review. https://www.technologyreview.es//s/12647/una-persona-fallece-causa-de-un-ciberataque-por-primera-vez-en-la-historia
OECD. (2021). Enhancing financial protection against catastrophe risks: the role of catastrophe. OECD. https://www.oecd.org/daf/fin/insurance/Enhancing-financial-protection-against-catastrophe-risks.pdf
Pastrana Sánchez, M. A. (2020). La nueva configuración de los delitos de terrorismo. Agencia Estatal Boletín Oficial del Estado.
Peralta, L. A. (2022). Así es Conti, la banda de hackers que extorsiona países enteros. Retina. https://retinatendencias.com/techsociety/asi-es-conti-la-banda-de-hackers-que-extorsiona-paises-enteros/
Perlroth, N. (2019). Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong. (Published 2019). The New York Times. https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html
Pictet, J. (1952). Commentary on the Geneva Conventions of 12 August 1949, vol. 1. Geneva Convention for the Amelioration of the Wounded and Sick in Armed Forces in the Field.
Sánchez Calero, F. (Dir.). (2010). Ley de Contrato de Seguro. Comentarios a la Ley 50/1980, de 8 de octubre, y a sus modificaciones. Aranzadi.
Sanger, D. E. (2012). Obama Ordered Wave of Cyberattacks Against Iran. The New York Times. https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html
Scherschel, F. A. (2016). Petya, Mischa, Goldeneye: Die Erpresser sind Nerds. Heise. https://www.heise.de/newsticker/meldung/Petya-Mischa-Goldeneye-Die-Erpresser-sind-Nerds-3571937.html
Schmitt, M. N. (Ed.). (2013). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press.
Schwindt, K., Ma, L., Marcinek, K. y Hodgson, Q. E. (2019). Fighting Shadows in the Dark: Understanding and Countering Coercion in Cyberspace. RAND Corporation.
Tirado Suárez, F. J. (1995). El seguro privado y los actos terroristas en Derecho Español. En Estudios de Derecho Mercantil en homenaje al profesor Manuel Broseta Pons (tomo III, pp. 3.767-3.803). Tirant lo Blanch.
Wolff, J. (2022). Who Will Pay the Price for Cyberattacks? The Wall Street Journal. https://www.wsj.com/articles/who-will-pay-the-price-for-cyberattacks-11662645501
