Bella premunt hostilia, the 13th-century Italian monk Thomas Aquinas wrote: “our foes press from every side”. The foes of liberal democracies are indeed pressing from every side, and increasingly against business. Whether they realise it or not, companies are at the frontline of a new kind of warfare.
This poses a problem for executives, many of whom are not used to assessing corporate risks based on geopolitical tangling. When the attacker is another country’s government, all bets are off. Most insurance policies have “war clauses”, standard insurance that covers warlike actions. But when a cyber attack is attributed to a government, it may now be treated as a warlike act.
“Cyber attacks are going the way of named hurricanes,” concluded an executive at a recent presentation I made to a group of business leaders. She’s right. When a weather agency gives a hurricane a name in recognition of its size and strength, that affects how much compensation people can claim for its damage under their insurance policies.
But as “acts of war” proliferate and become harder to define, who will insure businesses when they suffer catastrophic losses? “Corrupt business practices, cyber attacks, assassination, fake news, propaganda, the usurping of supply chains, the theft of intellectual property are now used to harm the west,” said General Nick Carter, the UK’s highest-ranking military officer, in a speech last year.
The NotPetya cyber attack that virtually disabled AP Moller-Maersk, the shipping company, in 2017 is a cautionary tale. “We were a collateral victim of probably a state attack situation,” said Jim Hagemann Snabe, chairman of Maersk, at Davos in 2018.
In a sign of the times, existing and potential victims of state-linked cyber attacks are wrangling with insurers about what constitutes a warlike act. This year a dispute broke out between another victim of NotPetya, the US food company Mondelez, and its insurer Zurich. Warlike acts are no longer just an existential question for governments but for a wide range of businesses, too.
This threat does not mean western companies have to withdraw from global markets. With their complicated supply chains and diverse customer bases, such a step would at any rate not be possible. It does mean, however, that they should think of themselves as participants in issues of national security.
Business leaders “should be proactive” in their responses, said Mr Snabe in Davos. Maersk now markets itself as a cyber security leader. Executives could also ask their governments for regular national security briefings; it is in the interests of both sides. The US government might, for example, revitalise the state department’s international security advisory board, a body that has featured a range of retired diplomats and generals but only very rarely a business leader. When Nato members meet in London in early December, they would do well to map out steps for better government-industry co-operation.
Armed forces could recruit senior executives for a fixed term of service. This spring the Swedish armed forces appointed Jan-Eric Nilsson, a shipping executive, as business adviser to the chief of defence, giving him the rank of navy captain. Imagine, say, the chief operating officer of a large retail bank as a temporary lieutenant general. I dare say plenty of COOs would jump at the chance.
The insurance industry and western governments should also think about how they might work together to create solutions where businesses and insurers can continue to operate globally without collapsing under the force of attacks by hostile states. Investors are certain to be more confident in a business that spends a little more on such contingency planning than in one that simply hopes it won’t be hit. Our foes may be pressing from every side, but we have the skills to push back.
The writer directs Rusi’s Modern Deterrence project