The Russian invasion of Ukraine has led to warnings from the United States government that Russia may support cyber attacks of United States commercial interests in retaliation of our support for Ukraine. The first thought of anybody in the insurance industry is whether there is coverage if this occurs.

Insurance commentator Bill Wilson wrote an excellent article about this topic in Cyber Insurance and “War” Exclusions. Wilson stated in part:

It is easier to argue that the first non-ISO ‘war’ exclusion cited above may not apply to a cyber attack by a government than the second non-ISO ‘war’ exclusion cited above which refers to ‘order of any government.’ In addition, note that the second example above makes a specific exception for TRIA-type events. Such exceptions may appear under such ‘war’ exclusions or elsewhere in these types of policies, or they may be added by endorsement.

..

In the case of cyber insurance, there are no accepted industry standard forms or policy language. Coverage truly is ‘caveat emptor’ based. Cyber attacks by a government are likely excluded by many, if not most, of these policies, with the primary exception being potential coverage under TRIA events. Again, that being said, keep in mind that the burden of proof when applying exclusionary language rests with the insurer.

A blog post by the Pillsbury law firm, War Exclusion Does Not Bar Recovery for Losses from a Nation-State Cyber Attack on Pharma Giant and the Effects on Insurance Policies from Increased Globalized Threats of Ransomware, discusses a case where coverage was granted for a $1.4 billion loss caused by Russian military malware. The article noted, in part:

The court ruled in favor of Merck, declaring that the War or Hostile Acts exclusion does not apply under the exclusion’s plain meaning and relevant case law. The court emphasized that the language at issue was found in an exclusion, which must be construed narrowly in favor of coverage. The court then sided with Merck’s argument that the exclusion contained language that limited the exclusion to the use of armed force, and that ‘the exclusion applied only to traditional forms of warfare’ involving ‘de jure or de facto sovereigns.’ Looking to the language used in the exclusion—’hostile or warlike action’—the court agreed that Merck maintained a reasonable understanding of this exclusion that involved the use of armed forces.

Additionally, the court noted that no court has applied a war exclusion to a cyber-related attack. The court noted that ACE did not change the language of the war exclusion, which had been virtually the same for many years, to put Merck on notice that it intended to exclude cyber attacks. Insurers had the ability to do so but, because they failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.

In response to this case and the Russian invasion, FitchRatings posted an article, Russian Cyberattacks May Test Insurer War Exclusion Policy Language, which stated:

The Russian invasion of Ukraine has increased the risk of cyberattacks and potential claim costs for property/casualty insurers globally that offer cyber coverage, the majority of which is underwritten in North America. Such attacks may also further test the effectiveness of ‘war exclusion’ and ‘hostile act exclusion’ language, which has come under greater scrutiny following a recent court ruling that found an insurer liable for losses stemming from the 2017 NotPetya malware attack. Nonetheless, larger insurers have taken significant pricing and underwriting actions in response to rising cyber claims in recent years, including tightened contract language, which should help mitigate underwriting losses in the current uncertain environment…

Compounding the problem is the inability to properly identify the perpetrator of an attack as cyber criminals have expertise in concealing their identities. Often early indications of attack origins are false flags. Digital forensics can take years to complete and still remain ambiguous.

In an article after the invasion started, Lockton made the following observation in Russia, Ukraine, Cyber Insurance and The War Exclusion:

An insurer’s analysis of a claim and the war exclusion will be very fact dependent. It is not always easy to establish responsibility for a cyberattack, especially with the anonymity that cyberspace provides. Attribution depends on many different factors that may not be conclusive. The attribution process can take a long time. Insurers therefore may not invoke the exclusion for fear of ending up in expensive litigation with their policyholders that they cannot be highly confident of winning.

We have seen third parties waging cyberattacks against Russia and Ukraine. For example, the hacking group Anonymous has tweeted that it is engaged in cyber war with Russia. Would a war exclusion apply to an attack by a third party that is sympathetic with one side in the conflict? While the better interpretation should be that the exclusion does not apply because Anonymous is not an entity with ‘significant attributes of sovereignty,’ it remains to be seen what position insurers will take.

A strong argument can be made that a war exclusion is not triggered by cyberattacks affecting parties that are strangers to the conflict and that have done nothing to put themselves in harm’s way. As the Merck court noted (relying on earlier decisions from the U.S. federal courts and from English courts), the remote consequences of hostilities do not support application of a war risk insurance policy and, by extension, a war exclusion. That reasoning appears to support arguments that a war exclusion does not apply to losses suffered by innocent third parties that are inadvertently damaged by a cyberattack directed against one of the parties to a military conflict.

We are certainly entering a new age of cyber risk with insurance coverage at play for losses not contemplated when I first started in this line of work in the early 1980’s. While war exclusions have long been in existence, cyber attack has not been part of those wars until relatively recently. The forms being sold are being changed as insurers and policyholders better understand these risks and underwriting is better able to respond to the need for coverage.

Thought For The Day

We live in a world where all wars will begin as cyber wars… It’s the combination of hacking and massive, well-coordinated disinformation campaigns.
—Jared Cohen