We share an exploration of our thoughts on this topic, at least as it currently stands, in the below white paper.
According to the Harvard Business Review “Companies should start by ensuring their cyber risk assessments include a geopolitical component. In the age of cyber conflict, international tensions anywhere can cause collateral damage everywhere.”
War, terrorism and political risk are typically excluded from standard insurance policies because of the inability of insurance companies to accurately predict damages and therefore charge appropriate premiums. But this does not mean the coverage is not available – due to the high risks involved these coverages are either offered as separate policies or possibly as a special addition to a standard commercial property insurance policy. There may also be public/state-backed insurances available.
When the USA was attacked by terrorists on September 11, 2001, the President and Congress declared it an act of war. The entire business community felt the impact and almost every sector of the economy was damaged economically, the Property & Casualty (P&C) industry is said to have paid over $40 billion in insured losses. Consequently, the Terrorism Risk Insurance Act (TRIA) was passed.
Property insurers have long excluded “acts of war” from insurable damage that would otherwise receive payments but were never really intended to cover cyber risk – at least not without underwriting the exposure. Consequently initiatives have been undertaken to address “silent cyber”.
Recent events have tested the industry further. How can insurers balance their need to exclude “war” in context of the Information Age without jeopardizing intended coverage?
NotPetya – a wakeup call
In 2017 NotPetya malware caused billions of dollars in damage worldwide, across Europe, Asia, and the Americas. To recuperate some of the damages, US-based Merck and Mondelez filed property insurance claims with their providers. Neither policy had an outright exclusion for cyber incidents but both insurers denied the claims on the basis the attack was part of Russian hostilities against Ukraine and, as a result, was subject to the standard “Acts of War” exclusion.
Both companies sued their property insurer over the refusal to cover costs. Mondelez’s case is still pending, but Merck won theirs on the basis that the language in question could reasonably be applied only to traditional forms of warfare. This is potentially precedent setting, although it seems reasonable to expect it will be appealed (if it hasn’t been already).
Five years after the event itself the question of how P&C insurance policies treat cyber incidents remains uncertain.
Cyber insurers also have a challenge to address.
Knowing what we know about the prevalence of state-sponsored cyber-attacks, cyber insurers cannot simply exclude such attacks. Yet loss arising out of war and/or terrorism is excluded. We are left with a conundrum: when is a state-sponsored cyber-attack an act of war and when can it be deemed cyberterrorism?
The problems we find are mainly:
1) defining war
2) addressing attribution
3) treating collateral damage.
What is War?
For our purposes here – each cyber insurer may have their own definition of war and many include other associated terms such as “insurrection”. Many also include “in support of war” and/or “whether war be declared or not”. How war is defined (or not defined) is a crucial consideration to how an exclusion will be applied. Vague terms describing acts by or on behalf of governments as “hostile or warlike” create further ambiguity.
What is cyberterrorism?
Unfortunately, it is a somewhat controversial term, there is no one single definition; some definitions for it tie to the type of threat actor, some to the intent, and some to the target.
The Merck decision went against their insurers because NotPetya was not followed by any physical acts or anything resembling what is considered traditional war. The situation today is very different.
“Now that Russia has invaded Ukraine, however, insurers may argue that the [war] exclusion applies to loss or damage caused by cyber-attacks that arise out of the Russia-Ukraine conflict because that conflict now looks more like a conventional war than it did when the Merck case was decided.” (https://www.reuters.com/legal/legalindustry/russia-ukraine-conflict-insurance-state-sponsored-cyberattacks-2022-03-25/)
Cyber insurance considerations
It appears there are three main frameworks currently in use by the cyber market for excluding war:
1. Two exclusions, one for war and one for terrorism; a carveback for cyberterrorism only applying to the terrorism exclusion.
This framework offers a limited argument for coverage.
It excludes loss arising out of “war”. It does not specify how an event will qualify to trigger the exclusion. It does not clarify how broadly the exclusion will apply; whether it applies only to assets specifically targeted in the war, or only to the parties at war, or the parties at war and the allies supporting them, or more broadly also include any collateral damage anywhere but arising out of the war.
For consideration, if NotPetya was happening today – would all or only part of the event be excluded? If Ukraine was the target, is there coverage for assets damaged by the malware but which reside outside of Ukraine?
Furthermore, only acts of terrorism that meet the definition of cyberterrorism, would be considered for coverage. Coverage for cyber terrorism “arising out” of war could be challenged.
2. One combined war and terrorism exclusion with a carveback for cyberterrorism.
This framework allows for potentially ambitious readings for and against cover. It has all the same challenges described above with respect to how the exclusion will be triggered and how broadly it can be applied.
The argument for and against coverage hinges upon whether state sponsored cyber-attacks are deemed “war” or “cyberterrorism”.
In many instances, the definition of cyberterrorism may not specifically address how to treat a state-sponsored cyber-attack. Insureds will likely argue this silence can be interpreted in their favour.
From a non-lawyer’s perspective, the argument for coverage under this framework is clearer for cyberterrorism that is committed by parties not directly involved in war but which arises out of the war. For example, the threatened attacks by Anonymous on western companies still trading in Russia. The argument becomes less clear if Russia were to attack countries that have supported Ukraine’s defence with sanctions or by providing equipment, arms, and/or finances – acts which theoretically could be deemed tantamount to engaging in a proxy war.
3. The Lloyd’s Market Association (LMA) sample language.
By being threshold based, this framework negates the need to define and carveback cyberterrorism and offers insureds a better chance in understanding what will trigger the exclusion and how broadly it can be applied.
The LMA has issued four versions: the 5564, 5565, 5566, and 5567 each offering progressively broader coverage. To paraphrase and oversimplify –
- The 5564 excludes war and/or state-sponsored cyber operations.
- The 5565, 5566, and 5567 exclude:
- war and “state-sponsored cyber operations “in the course of war”, and/or
- “retaliatory” cyber operations between a defined list of specific nations, and/or
- a cyber operation that has a “major detrimental impact to the functioning of a sovereign state by virtue of impacting essential services“.
Note, the thresholds are the key – the exclusion is triggered by questions of fact and/or degree, e.g.:
a. If the action is “retaliatory” and between specified states; and or
b. If the impact is both Major and Detrimental (terms taken from the Tallinn Manual) to the state’s ability to function. https://en.wikipedia.org/wiki/Tallinn_Manual.
If an event meets the thresholds described above, the exclusion is triggered; however the exclusion cannot be applied without meeting the specific attribution requirements.
Attribution (see links below)
The primary but not exclusive factor in determining attribution under the LMA versions tied to the government of the state (including its intelligence and security services) in which the damaged assets are physically located attributing it to another state or those acting on its behalf.
Furthermore, if the exclusion applies:
- The 5565 includes sub-limits to cover “any other cyber operation”
- The exclusion applies, the 5566 removes the sub-limits for “any other cyber operation”
- The 5567 offers carveback for collateral damage deemed bystanding cyber assets. The 5567 also has a higher threshold for retaliatory attacks.
War exclusions are required by standard insurances, but in their current form may lead to lengthy coverage discussions which may escalate to ADR proceedings (if the policy allows) and as a last resort, coverage litigation which, as we have seen, can linger on unsettled for years.
The LMA War clauses move the conversation forward; away from debates fundamental to understanding the trigger and scope of the war exclusion and instead to debates over nuanced practicalities, including for example timing of payments. There is always room for improvement but even as currently drafted, the LMA War clauses are clearer than many of the available alternatives.
Take away tips
As a best practice, companies should seek clarification from their current commercial property insurers about how their policies will interpret the war exclusion and whether there are other considerations with respect to cyber risk, state-sponsored cyber-attacks and physical damage.
Companies should also seek clarification from their current cyber insurers about how their policies will interpret the war exclusion. Public information available about known state-sponsored events such as 2007 Estonia, 2012 Saudi Aramco, 2014 Sony Pictures, 2017 WannaCry, 2017 Not-Petya, 2021 Colonial Pipeline can be used as test scenarios to illustrate how coverage would or would not respond.
Companies with assets that are exposed to war or terrorism or damage through political violence should enquire about standalone cover from a specialist insurer.
For further information about this topic please contact Lyndsey Bauer firstname.lastname@example.org
Please find a link to the four LMA exclusions.
Please find links to examples of formal attribution by the US government (including its intelligence and security services).