With the United States and much of the rest of the world imposing economic
sanctions on Russia in response to its invasion of Ukraine, experts are warning
of the possibility of retaliation by Russia in the form of cyber attacks. These
attacks may be aimed at businesses as well as governmental entities.
In this environment, it is important for businesses to understand how their
insurance policies are likely to respond to losses caused by cyber attacks and
what steps they can take to prevent or minimize losses.
Standard commercial property insurance policies provide very little coverage
for the destruction or corruption of electronic data; the built-in amount is
$2,500. A similarly small amount of coverage applies to resulting business
income or extra expense losses of this type. Furthermore, cyber exclusions can
call coverage for loss to other property into question, although most
commercial property policies' cyber exclusions will preserve coverage for a
resulting fire or explosion. Also, nonstandard war exclusions in commercial
property policies could prevent coverage, even for ensuing fire.
The remainder of this article will focus on cyber-insurance policies.
Coverage under Cyber-Insurance Policies
Insureds under cyber-insurance policies should be cautioned against
expecting coverage for cyber attacks stemming from Russia's invasion of
Ukraine and subsequent related incidents. While there is no
"standard" wording used in the war exclusions found in
cyber-insurance policies, they are nearly always worded with the broad preamble
of "based upon, arising out of, directly or indirectly involving, or in
consequence of.…" This wording excludes losses not only directly from
warfare but also from attacks simply related to warfare.
Moreover, the breakout of physical, "kinetic" warfare in Ukraine
gives the broadly worded war exclusions typically found in cyber-insurance
policies even more weight compared to cyber incidents in the absence of any
actual physical warfare. Recent litigation involving war exclusions like
Mondelez Int'l, Inc. v. Zurich Am. Ins. Co., Case No.
2018-L-011008 (Cir. Ct., Cook Cnty.), and Merck & Co., Inc. v. Ace Am.
Ins. Co., Case No. UNN-L-002682, (N.J. Super. Ct. Law Div.
2018), (both involving the 2017 NotPetya attack) did not involve
actual "boots on the ground" or physical warfare, leaving more room
for courts to find coverage in favor of insureds (as they did in
Merck). (Also, both of those situations involved more traditionally
worded war exclusions in the insured's commercial property policies.) This
would likely not be the case for incidents stemming from Russia's invasion
of Ukraine, which falls under the most simple definition of physical warfare
found in relevant exclusions.
Nuances in War Exclusion Wording under Cyber-Insurance Policies
While cyber-insurance coverage should not be expected for attacks related to
Russia's invasion of Ukraine, this development nevertheless provides an
opportunity for insureds to review exactly how their policies' war
exclusions are worded. Different phrasings can limit coverage even more so than
other versions of exclusions, but there are also ways that insureds can
slightly broaden their chances for future coverage related to nonphysical
warfare.
In November 2021, a Lloyd's Market Association Bulletin released four
draft war exclusions to act as a guideline for commercial cyber insurers. We
can draw out some of these wording nuances from those drafts. Some broaden the
exclusion (less favorable for insureds), while others narrow the scope of the
exclusion (more favorable for insureds).
- Exclusion of both "war" and
"cyber operations" (broadens the scope of the
exclusion)
- Less stringent requirements for attribution of an attack to a
state (broadens the scope of the exclusion)
- Excludes operations by or
on behalf of a state (broadens the scope of the
exclusion)
- Specifically excludes retaliatory operations between specified
states (broadens the scope of the exclusion)
- Excludes losses involving detrimental impact on essential
services (broadens the scope of the exclusion)
- Bystanding cyber assets carveback for assets located away from an
impacted state (narrows the scope of the exclusion)
- "Cyber-terrorism" carveback (narrows the scope
of the exclusion)
In
sum, war exclusions in cyber policies are generally broadening in scope, and
draft exclusions such as the ones from Lloyd's are furthering that
trend.
The ongoing hard market in cyber insurance may make these specific points
difficult to negotiate, but insureds and their representatives should explore
them. Subscribers
to The Betterley Report can access more information to compare how
different insurers word their war-related exclusions in cyber-insurance
policies at the links below.
Cyber-Attack Risk Management
In the meantime, here are five steps insureds can take to be proactive about
protection against cyber attacks.
- Make cyber security a board-level issue.
- Engage a public relations firm ahead of time and have a plan following an
incident.
- Have a forensic investigation and system response plan.
- Have a response team organization chart.
- Conduct tabletop exercises (a service that is often offered by cyber
insurers) to work through cyber-attack scenarios.
Links to More Information for Subscribers to IRMI Reference Services
IRMI subscribers can find more detailed information on these topics below.
Not subscribed? Make sure to view our Product Catalog to find the IRMI product that
is right for you.
Interested in a more
detailed report on variances in war exclusions and how commercial property
policies and cyber policies address these exposures? You can sign up for
Specialty
Lines Compass to receive a more in-depth white paper covering some
of the nuances discussed here.
Coverage and Exclusionary Wording
Risk Management and Loss Control