Introduction
“Cyber-war” refers to state-backed attacks that are systemic in nature, extending across organisations and targeting all component parts of a system. In 2017, NotPetya malware was used to target numerous companies, including Merck: its all-risk insurers alleged that the cyber-attack arose from "hostile or warlike action," and were thus excluded by a war exclusion in the policy. The New Jersey Superior Court disagreed, judging that if insurers wished to exclude cyber-war (as opposed to "physical" acts of war) from their policies, they should have done so explicitly. Cue much excitement in the market about implementing appropriate cyber-war exclusions in cyber policies (which itself follows historic attempts to include broad cyber exclusions in non-cyber policies). Lloyd's of London, for instance, mandates the use of cyber-war exclusions in cyber policies. See Market Bulletin Y538.
Approaches
As written in The Insurer, "there is the danger…that unless specific advice is given to clients on the cover that they're buying, that there may be differences of opinion as to how wide that cover actually is."Different insurers have adopted alternative solutions to the cyber-war issue, with varying forms of exclusion being implemented in the market. Moreover, some insurers are offering standalone cyber-war policies and buyback options to their customers.
Narrow vs broad language: Insurers are divided regarding the potential breadth of cyber-war exclusions. Some have adopted a narrow approach to such exclusions, with certain “war-adjacent” claims continuing to receive coverage. Conversely, others prefer a much broader approach to exclusions.
Cyber-war buyback options and standalone offerings: Lloyd's, for instance, appears to be establishing a freestanding cyber-war market in addition to the (still relatively young) "general" cyber insurance market. Managing General Agents have been authorised by Lloyd's to begin offering a war exclusion buyback option in cyber policies. Some insurers have also begun underwriting standalone cyber-war policies.
Alternative markets: The prescriptive approach taken by Lloyd's to cyber-war exclusions opens up scope for flexibility in alternative markets. Bermuda carriers have already indicated a willingness to be flexible in the application of cyber-war exclusions as a means of tempting (re)insureds away from London.
In the US, there is a similar mix of approaches. The contra proferentem approach taken against insurers in the Merck decision, especially in the face of the US government's explicit attribution of the attack to officers of the Russian GRU, encouraged many insurers to incorporate new exclusions in cyber policies relating to state-sponsored cyber-attacks, following the Lloyd's example. Others have cut coverage for cyber-attacks affecting "critical infrastructure," such as stock exchanges and mobile networks, or introduced coverage caps on outages lasting more than 72 hours.
There have also been more narrow approaches than the Lloyd's-compliant exclusions from US insurers not selling through the Lloyd's marketplace. One global insurer has increased the average cyber coverage limit from $5m to $10m, while another is said to be asking fewer questions to prospective policyholders for quicker underwriting, which has been attractive to many businesses.
Issues
Currently, definitional issues are causing the greatest uncertainty for insurers: how does one define cyber-war and what is its scope? No single answer has garnered widespread acceptance and Lloyd’s introduction of model exclusions to attempt to address concerns introduces new, ambiguous terms. There are a few reasons for this.
Attribution: Clearly identifiable state-on-state conflicts are becoming ever rarer, making it difficult to identify what is war and what is not. Moreover, to fall under a cyber-war exclusion, an attack must be attributable to a state, which may become a burdensome requirement. Coverage may be dependent on a government's willingness to accept the risks of attributing notoriously hard-to-trace cyber-attacks and potentially giving away intelligence strategies, which the US, in particular, previously had been reluctant to do.
Scope: Although several cyber-exclusions include state-sponsored cyber-attacks outside the context of war, they need to be a “widespread event” with a “major detrimental impact” in order to be encompassed within the exclusion. Naturally, determining how to quantify these requirements could be a challenge.
Causation: The level of causation required for loss to be considered a result of war-like action also complicates matters, given that the majority of claims are not from companies that were direct targets, but instead from those that were collateral damage. Often the location and time of damage suffered by the insured in relation to the attack will have to be considered.
Navigating different approaches taken by (re)insurers on this subject can be difficult, and the future of cyber-war coverage (or the lack thereof) remains uncertain. Increasing geopolitical tensions – epitomised by the war in Ukraine – and the increased frequency of state-endorsed malware attacks have left certain insurers reluctant to underwrite war‑related risks, either affirmatively or inadvertently. While there are widespread concerns that cyber-war might entail immense risk for insurers, this fear has yet to materialise at scale.
Authored by Jasmeet Ahuja, and Charlie Shute.
