Does your cyber insurance policy cover cyber warfare?


Despite your best efforts to prevent it, you are hit by a massive cyberattack. It may be a data breach; maybe a ransomware attack or maybe a supply chain disruption. You hire a forensic team, work with law enforcement, and discover the likely perpetrators were hackers in Russia; possibly working with the Russian government. You file a claim against your comprehensive cyber insurance policy for damages, losses and restoration costs covered by the policy. Pretty typical.

But the insurer refuses to pay.

They cite language in your comprehensive property damage insurance policy that excludes coverage for any “hostile or warlike action on the part of a nation-state or its agency.” A data breach or cyber attack is certainly hostile, and the origin of the attack was likely an agent of a nation state. So, does language prevent coverage?

War [Exclusions]. Hmm. What are they for?

The war exclusion, like similar exclusions in insurance policies for acts of terrorism and certain acts of God, is intended to divide claims into ordinary claims and extraordinary risks and claims not covered by the policy. Extraordinary costs, resulting from extraordinary risks – such as war and terrorism – are generally not the subject of insurance, but rather are considered a government problem.

The problem is that most cyberattacks are hybrid. Russian hackers may use tools or techniques identical to those used by state-sponsored hackers, even when they are not working for the state. The truth is that while state-sponsored attacks may be more sophisticated or disruptive, for a victim there is often little difference between a state-sponsored attack and an attack independent of a state actor.

In June 2017, New Jersey-based pharmaceutical giant Merck fell victim to a massive malware attack (a NotPetya attack) that spread to more than 40,000 computers and caused an estimated 1.4 billion dollars of losses (including lost revenue). The company had cyber insurance policies with a number of carriers, including Chubb, AIG, Zurich and Liberty Mutual, and eight reinsurers, including Hannover Re, Munich Re and Generali. Merck had so-called all-risk insurance policies that specifically covered losses resulting from damage to or loss of use of computer hardware, software, and data. The all-risks policy was a special type of insurance which extended to risks usually not contemplated and which, in the absence of evidence of fraud or fault on the part of the insured, presumed that all risks were covered unless expressly excluded. .

The NotPetya attack was later attributed not only to Russian hackers, but likely to Russian hackers working with the Russian government. Like more recent attacks, the series of NotPetya attacks appear to have been targeted by the Russian government as part of an overall cyber warfare strategy against interests in Ukraine.

On December 6, 2021, the New Jersey Superior Court in Union County ruled that the wording of insurance policies that excluded coverage for loss or damage caused by “hostile or warlike action in time of peace or war” “by any government or sovereign power or by any authority maintaining or using military, naval or air force” or by any agent of such a government does not apply to cyberattacks, such as the one that caused 1.4 billion dollars in losses at Merck.

So, was the distribution of non-Petya malware a “hostile or warlike action” that would be excluded from coverage, or was it a general risk?

In Merck Co. Inc. et al. vs. ACE American Insurance Co. et al., Case Number UNN L 002682-18, the court reviewed the history of similar cases in which the “act of war” exclusion was invoked (e.g., embezzlement and destruction of an airplane by terrorists, the death of a Korean War soldier from a mine explosion, the destruction of a warehouse in a war zone by flares dropped from an airplane, disruption caused by Hamas rocket fire into Israel, collision with a ship during wartime but not caused by war, damage to the Holiday Inn hotel in Beirut caused by warring factions), the court concluded that war means… well , war. The court noted that “no court has applied a war (or hostile acts) exclusion to anything close to the facts here”. The New Jersey court observed that the wording of the policy had been the same for many years, long before there was a threat of cyberattacks, and that if the insurer wanted to exclude cyberattacks by state actors motivated by political or military purposes, he might have changed the wording of the exclusion. “The insurer did nothing to change the wording of the exemption to reasonably inform this insured that they intended to exclude cyberattacks. They certainly had the ability to do so.

Takeaway meals

While the Merck case is important, especially for litigants, there are some clear caveats to beware of. First, Merck (and insurers) relied on the old language in a comprehensive comprehensive policy, not a specific exclusion under a data breach, cyber risk, or policy. similar. Had the exclusion been clearer or the policy more directed, a court might have concluded differently. Second, the wording of the exclusion, in addition to being old, was simply vague – and vague language in insurance exclusions is generally read for the benefit of the insured. Third, it is important to read and negotiate the terms of each policy individually. If a cyber policy excludes damage resulting from actions of state actors, what level of evidence is needed to show that the exclusion applies? Should the damages be caused by the actions of the state actor, or as a result of the action (damages caused by an attack versus losses due to the cost of investigating an attack), one being damage and the other a loss. Should the attack be the result of the activities of a nation state (e.g. people in khaki) or should we look at the motive of independent contractors or hackers? Must there be an agency relationship between the threat actor and the nation-state for the exclusion to apply? Do the exclusions apply to unauthorized acts of state agents? To the factions? Terrorist groups? Remember that you are buying insurance to cover damages and losses. Exclusions that remove these covers must be read closely to achieve a legitimate purpose.

The case also represents a recurring trend in cyber insurance of insurers underwriting and issuing policies, accepting premiums and often trying to find a reason not to pay claims, requiring endless litigation to get paid. Or in other words, the insurance business.

Best advice: read your policies and understand your risks. And don’t locate your server farm in a war zone.


Comments are closed.