War exclusions in cyber policies – an insurance litigator’s perspective

War exclusions in cyber policies are causing a lot of controversy in the legal world. This article considers the challenge of determining the scope of ‘war exclusions’ in cyber policies. If applied too broadly – for example, if a ransomware attack on a private company whose sole purpose was to extract money were to be interpreted as coming within the exclusion because it is a ‘hostile act’ – such exclusions would deprive a cyber policy of much of the benefit of the cover. On the other hand, if the exclusion is applied narrowly as only applying to ‘traditional’ war, it might be redundant since the losses arising from such war would never be within a cyber policy’s insuring clauses in the first place. So what cyber acts should properly come within a war exclusion?

Defining war

The dictionary defines war as ‘a state of usually open and declared armed hostile conflict between states or nations.’ The essential elements of the traditional concept are underlined. A war is declared conflict; it is armed (so involves bullets, bombs, tanks); and it is between different states. But cyber warfare does not neatly fit that definition. Few, though, would deny that if (say) Russia launched a crippling cyberattack on the NHS in retaliation for the UK’s provision of arms to Ukraine, that would be a warlike act, even without a declaration of war, or a single bullet being fired.

One problem is that, historically, war exclusions have not contained a definition of ‘war’. Such exclusions might apply to loss arising from “any war, invasion, military action (whether war is declared or not), civil war, or warlike operations…”. Without a definition of those terms, it is left to the whim of the court to decide what they should mean in a particular context. In Pan Am v Aetna (1970), a US Court decided that the war exclusion in an aviation policy did not apply to damage caused by hijackers of an aeroplane, because war occurs between sovereign nations, and the hijackers were agents of a political group, rather than a sovereign government. In January 2022, in the case of Merck v Ace American, the New Jersey court decided over the application of a war exclusion in the context of massive losses caused to the pharmaceutical giant by the NotPetya malware. The Court held that the exclusion should not apply, on the basis that no court had ever found that such an exclusion applied to anything other than traditional war, in other words ‘armed conflict’: if the insurers had wanted the exclusion also to apply to cyberattacks, they could have said so.

The Merck decision is open to criticism. There was nothing in the wording of the war exclusion under consideration in that case which indicated that it should not apply to cyberattacks. The fact that previous courts had never interpreted war exclusions as applying to cyberattacks is not a strong point: previous courts have simply not been asked to determine the issue. If it could be shown that a cyberattack was intended by a state to have kinetic effects on (that is, to result in property damage or bodily harm), and/or to cause widespread economic/infrastructure damage to, another state, it seems strongly arguable that such an attack should be caught by the exclusion. The correct question of interpretation is whether the parties (policyholder and insurer) to a cyber policy would objectively regard such cyberattacks as constituting acts of war; in today’s world, they might well do.

Clarifying war exclusions

One way of creating greater certainty in the application of war exclusions, and to minimise the risk of arbitrary court interpretations, is to draft exclusions that define the key concepts. In December 2021 the Lloyd’s Market Association (LMA) published four model war exclusions for use in cyber policies. Their definitions of war include the use of physical force by a state against another state, whether war be declared or not; and they define ‘cyber operation’ as “the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.” The requirement of physical force within the exclusions’ war definition means that (except, perhaps, in the case of cyberattacks intended to have kinetic effects) a cyberattack is unlikely to come within the definition.

As to whether the cyberattack is a ‘cyber operation’, it will have to be shown (among other things) that the attack was by/on behalf of one state against another state. Thus, attribution of the cyberattack to a state is a key issue arising under the LMA clauses. These being exclusion clauses, the burden of proving attribution lies upon the insurer. The clauses provide various ways in which the insurer might discharge that difficult burden, including an entitlement to rely on “an inference which is objectively reasonable as to attribution” and reference to “such other evidence as is available”.

The LMA clauses have come under some criticism, including on the basis that these means of proving attribution are undefined and vague, and it remains unclear in what circumstances the insurer will have proved that a given cyberattack was by or on behalf of one state for the purposes of disrupting the computer system of another state. But they are to be applauded for bringing greater certainty to what is contemplated by ‘war’, by defining that term along with ‘cyber operations’. Inevitably, there will remain scope for argument as to whether such exclusions should apply to any given set of facts. For example, it may remain unclear whether war exclusions should apply to collateral damage situations, where a virus created for the purposes of a warlike cyberattack (like NotPetya) has got ‘into the wild’ and infected the systems of a policyholder who was not the intended victim. But the LMA exclusions, in defining the key concepts, take a commendable step towards enabling insurers more clearly to exclude from cyber policies certain cyberattacks which, on any modern view, are properly regarded as acts of war.

Disclaimer: The opinions expressed in this commentary are those of the author and do not reflect the opinions of Lockton.

For more information, visit our Cyber and Technology page (opens a new window).