The Russian invasion of Ukraine has led to warnings from the US government that Russia may support cyber attacks by US commercial interests in retaliation for our support for Ukraine. The first thought of someone in the insurance industry is if there is coverage if this happens.
Insurance commentator Bill Wilson wrote an excellent article on this topic in Cyber Insurance and “War” Exclusions. Wilson said in part:
It is easier to argue that the first non-ISO “war” exclusion quoted above may not apply to a government cyberattack than the second non-ISO “war” exclusion quoted above which refers to “orders from which government any.”; Also note that the second example above makes a specific exception for TRIA-type events. Such exceptions may occur during such “war” exclusions or elsewhere in these types of policies, or they may be added by approval.
When it comes to cyber insurance, there are no accepted industry standard forms or policy languages. The coverage is really “caveat emptor” -based. Government cyberattacks are likely to be excluded by many, if not most, of these policies, with the primary exception being potential coverage during TRIA events. Again, having said that, keep in mind that the burden of proof when applying the language of exclusion rests with the insurer.
A blog post by the law firm Pillsbury, War exclusion does not prevent recovery for losses from a nationwide cyber attack on the pharmaceutical giant and the effects on insurance from increased globalized threats to ransomware, discusses a case where coverage was granted for a loss of $ 1.4 billion caused by Russian military malware. The article noted in part:
The court ruled in favor of Merck, declaring that the exemption from war or hostile acts does not apply according to the simple meaning of the exclusion and relevant case law. The Court emphasized that the language in question was found in an exclusion, which must be interpreted narrowly in favor of coverage. The court then ruled on Merck’s argument that the exclusion contained language that limited the exclusion to the use of armed force, and that “the exclusion only applied to traditional forms of warfare” involving “de jure or de facto sovereigns”. In view of the language used in the exclusion – “hostile or belligerent acts” – the court agreed that Merck had a reasonable understanding of this exclusion which involved the use of armed forces.
In addition, the court noted that no court has applied a war exclusion to a cyber-related attack. The court noted that the ACE did not change the language of the war exclusion, which had been virtually the same for many years, to draw Merck’s attention to the fact that it intended to rule out cyber – attacks. The insurance companies had the opportunity to do so, but since they failed to change the language of the policy, Merck had every right to anticipate that the exclusion only applied to traditional forms of warfare.
In response to this case and the Russian invasion, FitchRatings has posted an article, Russian cyberattacks can test the insurer’s language for exclusion policywhere it stood:
The Russian invasion of Ukraine has increased the risk of cyberattacks and potential damage costs for real estate / non-life insurance companies globally that offer cyber coverage, the majority of which are subscribed in North America. Such attacks could also further test the effectiveness of the language “war exclusion” and “hostile exclusion”, which has come under closer scrutiny following a recent court ruling that found an insurer responsible for losses arising from the 2017 NotPetya malicious attack. Nevertheless, major insurance companies have taken significant pricing and insurance measures in response to increasing cyber claims in recent years, including a sharpened contract language, which should help mitigate insurance losses in the current uncertain environment …
What exacerbates the problem is the inability to correctly identify the perpetrator of an attack because cybercriminals have the expertise to hide their identity. Early indications of the origin of the attack are often false flags. Digital forensics can take years to complete and still remain ambiguous.
In an article after the invasion started, Lockton made the following observation in Russia, Ukraine, Cyber Insurance and The War Exclusion:
An insurer’s analysis of a claim and the war exclusion will be very factual. It is not always easy to establish responsibility for a cyber attack, especially with the anonymity that cyberspace provides. Attribution depends on many different factors that may not be decisive. The attribution process can take a long time. Insurers must therefore not invoke the exclusion for fear of ending up in costly litigation with their policyholders that they can not be very sure of winning.
We have seen third parties carry out cyber attacks against Russia and Ukraine. For example, the hacker group Anonymous has tweeted that it is involved in a cyber war with Russia. Would a war cessation involve a third-party attack that is sympathetic to one side of the conflict? Although the better interpretation should be that the exclusion does not apply because Anonymous is not an entity with “significant attributes of sovereignty”, it remains to be seen what position insurers will take.
A strong argument can be made that a war exclusion is not triggered by cyber attacks that affect parties that are foreign to the conflict and that have done nothing to endanger themselves. As noted by the Merck Court (based on previous rulings by US federal courts and English courts), the distant consequences of hostilities do not support the application of a war risk insurance policy and, by extension, a war exemption. That reasoning seems to support the argument that a war exclusion does not apply to losses suffered by innocent third parties who are inadvertently harmed by a cyber attack directed at one of the parties in a military conflict.
We are really entering a new era of cyber risk with insurance coverage that applies to losses that I did not think of when I first started on this line in the early 1980s. While war exclusions have been around for a long time, cyber attacks have not been a part of these wars until relatively recently. The forms that are sold change because insurers and policyholders better understand these risks and the issue guarantee can better respond to the need for coverage.
We live in a world where all wars will start as cyber wars … It is the combination of hacking and massive, well-coordinated disinformation campaigns.
– Jared Cohen