With the United States and much of the rest of the world imposing economic sanctions on Russia in response to its invasion of Ukraine, experts are warning of the possibility of retaliation by Russia in the form of cyber attacks. These attacks may be aimed at businesses as well as governmental entities.
In this environment, it is important for businesses to understand how their insurance policies are likely to respond to losses caused by cyber attacks and what steps they can take to prevent or minimize losses.
Standard commercial property insurance policies provide very little coverage for the destruction or corruption of electronic data; the built-in amount is $2,500. A similarly small amount of coverage applies to resulting business income or extra expense losses of this type. Furthermore, cyber exclusions can call coverage for loss to other property into question, although most commercial property policies' cyber exclusions will preserve coverage for a resulting fire or explosion. Also, nonstandard war exclusions in commercial property policies could prevent coverage, even for ensuing fire.
The remainder of this article will focus on cyber-insurance policies.
Coverage under Cyber-Insurance Policies
Insureds under cyber-insurance policies should be cautioned against expecting coverage for cyber attacks stemming from Russia's invasion of Ukraine and subsequent related incidents. While there is no "standard" wording used in the war exclusions found in cyber-insurance policies, they are nearly always worded with the broad preamble of "based upon, arising out of, directly or indirectly involving, or in consequence of.…" This wording excludes losses not only directly from warfare but also from attacks simply related to warfare.
Moreover, the breakout of physical, "kinetic" warfare in Ukraine gives the broadly worded war exclusions typically found in cyber-insurance policies even more weight compared to cyber incidents in the absence of any actual physical warfare. Recent litigation involving war exclusions like Mondelez Int'l, Inc. v. Zurich Am. Ins. Co., Case No. 2018-L-011008 (Cir. Ct., Cook Cnty.), and Merck & Co., Inc. v. Ace Am. Ins. Co., Case No. UNN-L-002682, (N.J. Super. Ct. Law Div. 2018) (both involving the 2017 NotPetya attack), did not involve actual "boots on the ground" or physical warfare, leaving more room for courts to find coverage in favor of insureds (as they did in Merck). (Also, both of those situations involved more traditionally worded war exclusions in the insured's commercial property policies.) This would likely not be the case for incidents stemming from Russia's invasion of Ukraine, which falls under the most simple definition of physical warfare found in relevant exclusions.
Nuances in War Exclusion Wording under Cyber-Insurance Policies
While cyber-insurance coverage should not be expected for attacks related to Russia's invasion of Ukraine, this development nevertheless provides an opportunity for insureds to review exactly how their policies' war exclusions are worded. Different phrasings can limit coverage even more so than other versions of exclusions, but there are also ways that insureds can slightly broaden their chances for future coverage related to nonphysical warfare.
In November 2021, a Lloyd's Market Association Bulletin released four draft war exclusions to act as a guideline for commercial cyber insurers. We can draw out some of these wording nuances from those drafts. Some broaden the exclusion (less favorable for insureds), while others narrow the scope of the exclusion (more favorable for insureds).
Exclusion of both "war" and "cyber operations" (broadens the scope of the exclusion)
Less stringent requirements for attribution of an attack to a state (broadens the scope of the exclusion)
Excludes operations by or on behalf of a state (broadens the scope of the exclusion)
Specifically excludes retaliatory operations between specified states (broadens the scope of the exclusion)
Excludes losses involving detrimental impact on essential services (broadens the scope of the exclusion)
Bystanding cyber assets carveback for assets located away from an impacted state (narrows the scope of the exclusion)
"Cyber-terrorism" carveback (narrows the scope of the exclusion)
In sum, war exclusions in cyber policies are generally broadening in scope, and draft exclusions such as the ones from Lloyd's are furthering that trend.
The ongoing hard market in cyber insurance may make these specific points difficult to negotiate, but insureds and their representatives should explore them. Subscribers to The Betterley Report can access more information to compare how different insurers word their war-related exclusions in cyber-insurance policies at the links below.
Cyber-Attack Risk Management
In the meantime, here are five steps insureds can take to be proactive about protection against cyber attacks.
Make cyber security a board-level issue.
Engage a public relations firm ahead of time and have a plan following an incident.
Have a forensic investigation and system response plan.
Have a response team organization chart.
Conduct tabletop exercises (a service that is often offered by cyber insurers) to work through cyber-attack scenarios.
Links to More Information for Subscribers to IRMI Reference Services
IRMI subscribers can find more detailed information on these topics below. Not subscribed? Make sure to view our Product Catalog to find the IRMI product that is right for you.
Interested in a more detailed report on variances in war exclusions and how commercial property policies and cyber policies address these exposures? You can sign up for Specialty Lines Compass to receive a more in-depth white paper covering some of the nuances discussed here.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.