قالب وردپرس درنا توس
Home / Insurance / Perspective: Caught in the crossfire – How will the war ban affect commercial policyholders?

Perspective: Caught in the crossfire – How will the war ban affect commercial policyholders?



The exclusion of the war has received much attention in the past year, especially since Russia invaded Ukraine in February. Policyholders’ concerns that insurers will claim the exclusion as a basis for denying coverage are growing in light of recent coverage disputes and the potential for cyberattacks from Russia to have serious economic consequences. The exclusion of the war is in a moment of possible change, as insurance companies are considering changes that may increase its scope.

The exclusion has been common in property / accident insurance for decades and is also found in almost all cyber insurance. It usually eliminates coverage for losses caused by “hostile or warlike acts”

; by a nation state or its organs, or by military forces. The exclusion of war in cyber insurance often includes an exception that restores coverage for “cyberterrorism”.

Insurance companies have recently invoked the exclusion to try to avoid covering losses under property insurance stemming from Russia’s 2017 NotPetya cyber attack on Ukraine. That attack spread beyond Ukraine’s borders and caused extensive damage to computer systems.

A court in the state of New Jersey recently dismissed an insurer’s dependence on a foreclosure in a property insurance policy, according to which the insured had sought coverage for losses caused by the NotPetya cyberattack in Merck Co. Inc. et al. v. ACE American Insurance Co. et al.

Pharmaceutical giant Merck claimed that it suffered over $ 1.4 billion in losses due to the NotPetya attack, which it claims affected over 40,000 of its computers worldwide and affected its production. Insurers and reinsurers on their $ 1.75 billion real estate insurance denied losses based on the end of the war, claiming that the attack was carried out by Russian agents who intended to paralyze Ukraine’s financial sector and then spread around the world. They claimed that the attack was carried out while Russia and Ukraine were engaged in war, and as such it was an act of war. Merck countered that the attack was a form of ransomware, which was not ruled out by the policy. Although the United States and Britain accused Russia of being involved in the attack, the Russian government has called the accusation unfounded.

The court agreed with Merck that the term “hostile or warlike act” means a traditional war between two or more nations involving “hostilities between armed forces.” The Court also noted that “[n]o Court has applied an exclusion from war (or hostile acts) to anything close to “a malware attack. Decision of Merck on a request for a partial summary judgment, the court concluded that the insurers did nothing to change the language of the exception to reasonably inform the insured that they intended to exclude cyberattacks.

Although Merck can be appealed, it raises the question of how courts will interpret war exclusions contained in cyber insurance, which are explicitly intended to cover losses as a result of cyber attacks. There is almost no case law on this subject. So far, cyber insurance companies have assured policyholders that they intend to narrowly interpret the exclusion of war, as they are required to do. Russia’s war against Ukraine may, however, raise the question of whether it will lead to another event like NotPetya.

A few months before Russia invaded Ukraine, the Lloyd’s Market Association introduced four model clauses designed to, to a greater or lesser extent, exclude coverage of war risks from cyber policies.

Clause 1 is the most restrictive and would exclude losses directly or indirectly caused by, through or as a result of war or a cyber operation. “War” is defined as the use of physical force by one sovereign state against another sovereign state, and “cyber operation” is defined as the use of a computer system, by or on behalf of a sovereign state, to disrupt, deny, impair, manipulate or destroy information in a computer system in or in another sovereign state. In other words, it pretends to exclude coverage for losses “indirectly” caused by either a physical war or a cyberattack “by or on behalf of” a sovereign state.

Clause 2 is the second most restrictive and would allow coverage, subject to lower limits, for losses due to cyber operations which: (1) are not retaliation between China, France, Germany, Japan, Russia, the United Kingdom or the United States; and (2) does not have a “major detrimental effect” (not a defined term) on the security, defense or essential services of a sovereign state.

Clause 3 provides the same coverage as clause 2, but without lower limits.

Clause 4, which provides the greatest coverage, offers the same coverage as clause 3 and also covers the effects on “overall cyber assets” – defined as a computer system used by the policyholder or its third party service providers, which is not physically located in an affected sovereign state but is affected by a cyberoperation.

One aspect of all these exclusions that is of particular concern is that they would give the insurer the right to determine whether a cyber operation was “indirectly” carried out “by or on behalf of” a sovereign state. The language could potentially lead to the exclusion of coverage for attacks where the victim was not the intended target and the actor merely claims that he is acting in favor of, or in support of, a state rather than being directed by the state.

The exceptions state that the primary factor that the insurer will use to make this decision is whether the government of the sovereign state where the affected computers are physically located attributes the cyber operation to another sovereign state or those working on its behalf, which is obviously the subject for political pressure or whims. Before a state makes such an attribution, the insurer can draw an “objectively reasonable” conclusion as to whether the cyber operation was carried out by or on behalf of a sovereign state.

As a result, while the law generally provides that exemptions are to be interpreted narrowly and the insurer has the burden of proving that they are applicable, these changes would in practice reduce the insurer’s burden of drawing only an “objectively reasonable conclusion” that the exemption applies.

When the war was first developed, it was clear which country fired the bullet or dropped the bomb, causing physical damage. Nowadays, as revealed by the LMA’s struggle to reduce the burden of proof on insurers, it is often unknown who carried out the attack and / or what their motives were.

Questions about identity and motives are irrelevant to the cyber policy’s insurance contract. The police are supposed to pay for losses that policyholders suffer as a result of a cyber attack, regardless of who did it and why. From a policyholder’s perspective, a ransomware attack launched by a group claiming to support Russia’s war in Ukraine is no different from an attack by a group claiming no affiliation or motive. In both cases, the policyholder must find out how he unlocks his machines and keeps his business running.

This was the animating motivation for Queen Insurance Company v. Globe & Rutgers Insurance Company, which dates back to the First World War. The case arose from the collision between two merchant ships traveling at night without lights due to submarine attacks. The U.S. Supreme Court ruled that the collision could have occurred at any time, not just as a result of war, even if the ships were blind to each other due to previous submarine attacks. Subsequent cases have picked up this logic in rejecting the insurance companies’ trust in the war exclusion.

Such reasoning should have even more power today, when often the only known fact is that it was an attack, but the identity of the attackers and their motives remain shrouded in mystery or at best uncertain. The policyholder’s experience of the attack and the losses resulting from it will remain the same, whether the attack was made to support a war, was only carried out during a war, or was simply the work of thieves.


Tyler C. Gerking is a partner and member of the insurance recovery group at Farella Braun + Martel LLP in San Francisco. He can be reached at tgerking@fbm.com.


Source link