Coverage for Cyber Attacks in a Time of War

In this environment, it is important for businesses to understand how their insurance policies are likely to respond to losses caused by cyber attacks and what steps they can take to prevent or minimize losses.

Standard commercial property insurance policies provide very little coverage for the destruction or corruption of electronic data; the built-in amount is $2,500. A similarly small amount of coverage applies to resulting business income or extra expense losses of this type. Furthermore, cyber exclusions can call coverage for loss to other property into question, although most commercial property policies' cyber exclusions will preserve coverage for a resulting fire or explosion. Also, nonstandard war exclusions in commercial property policies could prevent coverage, even for ensuing fire.

The remainder of this article will focus on cyber-insurance policies.

Coverage under Cyber-Insurance Policies

Insureds under cyber-insurance policies should be cautioned against expecting coverage for cyber attacks stemming from Russia's invasion of Ukraine and subsequent related incidents. While there is no "standard" wording used in the war exclusions found in cyber-insurance policies, they are nearly always worded with the broad preamble of "based upon, arising out of, directly or indirectly involving, or in consequence of.…" This wording excludes losses not only directly from warfare but also from attacks simply related to warfare.

Moreover, the breakout of physical, "kinetic" warfare in Ukraine gives the broadly worded war exclusions typically found in cyber-insurance policies even more weight compared to cyber incidents in the absence of any actual physical warfare. Recent litigation involving war exclusions like Mondelez Int'l, Inc. v. Zurich Am. Ins. Co., Case No. 2018-L-011008 (Cir. Ct., Cook Cnty.), and Merck & Co., Inc. v. Ace Am. Ins. Co., Case No. UNN-L-002682, (N.J. Super. Ct. Law Div. 2018), (both involving the 2017 NotPetya attack) did not involve actual "boots on the ground" or physical warfare, leaving more room for courts to find coverage in favor of insureds (as they did in Merck). (Also, both of those situations involved more traditionally worded war exclusions in the insured's commercial property policies.) This would likely not be the case for incidents stemming from Russia's invasion of Ukraine, which falls under the most simple definition of physical warfare found in relevant exclusions.

Nuances in War Exclusion Wording under Cyber-Insurance Policies

While cyber-insurance coverage should not be expected for attacks related to Russia's invasion of Ukraine, this development nevertheless provides an opportunity for insureds to review exactly how their policies' war exclusions are worded. Different phrasings can limit coverage even more so than other versions of exclusions, but there are also ways that insureds can slightly broaden their chances for future coverage related to nonphysical warfare. 

In November 2021, a Lloyd's Market Association Bulletin released four draft war exclusions to act as a guideline for commercial cyber insurers. We can draw out some of these wording nuances from those drafts. Some broaden the exclusion (less favorable for insureds), while others narrow the scope of the exclusion (more favorable for insureds).

• Exclusion of both "war" and "cyber operations" (broadens the scope of the exclusion)

• Less stringent requirements for attribution of an attack to a state (broadens the scope of the exclusion)
• Excludes operations by or on behalf of a state (broadens the scope of the exclusion)
• Specifically excludes retaliatory operations between specified states (broadens the scope of the exclusion)
• Excludes losses involving detrimental impact on essential services (broadens the scope of the exclusion)
• Bystanding cyber assets carveback for assets located away from an impacted state (narrows the scope of the exclusion)
• "Cyber-terrorism" carveback (narrows the scope of the exclusion)

The ongoing hard market in cyber insurance may make these specific points difficult to negotiate, but insureds and their representatives should explore them. Subscribers  to The Betterley Report can access more information to compare how different insurers word their war-related exclusions in cyber-insurance policies at the links below.

Cyber-Attack Risk Management

In the meantime, here are five steps insureds can take to be proactive about protection against cyber attacks. 

• Make cyber security a board-level issue.
• Engage a public relations firm ahead of time and have a plan following an incident.
• Have a forensic investigation and system response plan.
• Have a response team organization chart.
• Conduct tabletop exercises (a service that is often offered by cyber insurers) to work through cyber-attack scenarios.

Links to More Information for Subscribers to IRMI Reference Services

IRMI subscribers can find more detailed information on these topics below. Not subscribed? Make sure to view our Product Catalog to find the IRMI product that is right for you.

Coverage and Exclusionary Wording 

• Cyber-Insurance War Exclusions (IRMI Online subscribers)
• Cyber-Insurance War Exclusions (ReferenceConnect subscribers)
• The Betterley Report—"Cyber/Privacy Insurance Market Survey—2021" (IRMI Online subscribers)
• The Betterley Report—"Cyber/Privacy Insurance Market Survey—2021" (Vertafore subscribers)

Risk Management and Loss Control 

• "Developing a Cyber Event Response Plan" (IRMI Online subscribers)
• "Developing a Cyber Event Response Plan" (ReferenceConnect subscribers)
• "Cyber and Privacy Loss Control" (IRMI Online subscribers)
• "Cyber and Privacy Loss Control" (ReferenceConnect subscribers)