Gray-zone attacks challenge risk managers: what to know
Buying political violence insurance is usually pretty simple: you find coverage depending on the prevalent threat you face. If you are in an area of the world in which there are frequent terrorist attacks, you purchase a terrorism policy. If you engage in activities that are prone to subversive disruption, you will buy sabotage insurance. If your operations are in a country where there is a risk of war, or civil war, you seek coverage for these perils, and so on.
Proving that a loss is covered under these policies – the proverbial ‘receipts’ - should be equally straightforward. An act of terrorism or sabotage is accompanied (often preceded) by a claim of responsibility by the group involved. Acts of war are hard to miss, and while adjusting a loss is complicated by the damaged property now being in a war zone, the fact that it is a war zone somewhat proves the point.
A new threat landscape is upending this, however. In a globalized world which breeds adversarial inter-state relationships, countries are increasingly looking to settle scores by enlisting non-state actors to carry out attacks on their behalf. This tactic has been facilitated in no small part by the easy weaponization of readily available and cheap technologies. These acts are aggressive, often violent, but provide the instructing party with a plausible deniability that eludes classification required under traditional insurance contracts (hence the ‘gray-zone’). Given the potential for vast economic loss, this coverage challenge merits attention.
In 2024, western nations accused Russia of placing incendiary devices in cargo planes bound for North America, which Moscow denies. The same year, Polish officials claimed to have arrested 20 individuals suspected of plotting foiled sabotage attacks, which they claimed had been initiated by Russian government forces. By January 2025, 11 subsea cables had been damaged in the Baltic sea prompting a NATO response after Finnish police suspected that an oil tanker belonging to Russia’s shadow-fleet had been involved. And all of this followed an explosion on the Russia-to-Germany Nord Stream pipeline in 2022 with no clear culprit emerging.
Gray-zone, or hybrid acts of sabotage like these are attractive for bad actors; if coordinated correctly they can wreak extraordinary havoc. 95% of internet traffic goes through subsea cables, with firms such as Meta and Google owning a growing share - the ‘soft underbelly’ of American power”, as one historian puts it. A third of all gas travelling to the EU goes through Norwegian pipelines, and when Houthi rebels cut three cables in the red sea, 25% of all internet traffic between Asia and Europe was affected. The most chilling manifestation of this kind of threat might be that of a cyber-attack on critical infrastructure, similar to the ‘NotPetya’ attack which knocked out much of Ukraine’s power grid in 2017, causing $1 billion in losses to three victims alone.
Furthermore, the use of force required is minimal, to the extent that attacks can either go undetected, or be passed off as accidental. Instead of claiming responsibility, states seeking to avoid retaliatory sanctions will find this deniability particularly useful. Of course, for the impacted parties, this will offer no relief. But their insurance programs will, right?
This is where risk managers and their brokers must exercise care to ensure that covered perils are, where possible, defined by their outcome rather than an underlying motive – particularly in those environments where economic instability is highest and/or which have experienced major flashpoints. Despite the vibrant threat environment, rates in the property and casualty insurance market are softening, creating a welcome opportunity for buyers to lock in broad political violence coverage at an affordable price.
The amorphous nature of gray zone attacks challenges conventional risk transfer strategies, demanding concerted action on the part of insurance managers. Speak to your Willis contact to ensure that your organization stays ahead.
