War exclusions under the spotlight as cyber-attacks increase
27 July 2022
The worrying increase in worldwide cyber-attacks, including state sponsored incidents, has highlighted the need to reform traditional war exclusions to reflect the changing insurance landscape.
With cyberwarfare becoming an accepted part of a nation's arsenal alongside traditional military force, as witnessed in the ongoing war in Ukraine, the insurance industry needs to establish clear demarcation lines for what is excluded from coverage.
The situation is complicated by incidents of state-sponsored cyber incidents which can be difficult to prove as technology can be used to mask the true identity of the cyber attacker.
As defined by the Oxford Dictionary (2016):“Cyberwarfare is the use of computer technology to disrupt the activities of a state or organisation, especially the deliberate attacking of information systems for strategic or military purposes.”
At present, the insurer must prove that a cyber-attack was a warlike action by a government or sovereign power rather than a criminal or terrorist act which may be covered by the policy.
In June 2017, data-destroying malware called NotPetya, which the CIA concluded with "high confidence" was created by Russia’s GRU military spy agency, wiped data from the computers of banks, energy firms, senior government officials and an airport causing an estimated Euros 9.8billion ($10 billion) in losses.
It crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelez, and manufacturer Reckitt Benckiser. In each case, it inflicted nine-figure costs and even spread back to Russia, striking the state oil company Rosneft.
Mondelez, headquartered in Chicago, and Merck, a German multinational science and technology company with headquarters in Darmstadt, both claimed under their respective 'all-risks' property insurance. The companies had their claim rejected on the basis of a war exclusion clause and responded by filing suits against their respective insurers. Merck won its case over coverage for Euros 1.3billion ($1.4 billion) in losses while the Mondelez case against Zurich Insurance Group Ltd is ongoing.
Following the NotPetya attacks, the insurance industry has sought explicit exclusions in non-cyber policies to minimise exposure to 'silent cyber'. As a result, the Bermuda Monetary Authority now requires insurers to clarify whether or not they offer cyber coverage in non-cyber policies incepting 1 January 2024, either by including a clear exclusion language or by adding the necessary endorsement to the policies.
As yet, it is unclear what level of nation-statement involvement is necessary in order for the act to be attributed to it and insurers who offer cyber insurance are reluctant to provide coverage for state-sponsored cyber-attacks.
There is also the concern that governments may be more likely to initiate state-sponsored cyber-attacks if the resulting cyber losses will be mitigated by insurance pay-outs.
In response, Lloyd's Market Association last year issued four new cyber war and cyber operation exclusion clauses which allow for a scalable approach to coverage for cyber operations which are not excluded by the definition of war, cyber war or cyber operations and which have a major detrimental impact on a state.
The Geneva Association, a global association of insurance companies, and the International Forum of Terrorism Risk (Re)Insurance Pools have proposed the introduction of a special category of hostile cyber activity to provide additional granularity to cover malicious incidents beyond cyber terrorism but not involving cyber warfare.
Fitch Ratings, the American credit rating agency, believes increased cyber-attacks have caused elevated losses; cyber insurance companies have responded by increasing premiums and have required better cyber hygiene requirements for policyholders such as multifactor authentication.