The recent conflict between Russia and Ukraine and the potentially related cyberattacks have brought heightened focus on war exclusions in cyber insurance policies. The applicability of the exclusion to any claim depends entirely on the language of the policy and the factual circumstances of the attack. It is impossible to predict in advance whether a war exclusion will apply. Nevertheless, knowledge of how war exclusions have been interpreted in the past can be useful in evaluating the applicability of the exclusion under the current circumstances.
War exclusions interpreted
War exclusions come in many different forms and are part of many insurance policies, including cyber insurance policies. There is no standard war exclusion wording in cyber insurance policies, but the following is illustrative:
Based upon or arising out of:
War, including undeclared or civil war;
Warlike action by a military force, including action in hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or
Insurrection, rebellion, revolution, usurped power, or action taken by governmental authority in hindering or defending against any of these.
For the avoidance of doubt, this exclusion does not apply to cyberterrorism.
A typical definition of cyberterrorism is:
Cyberterrorism means the use of disruptive activities directly or indirectly against a computer system by an individual or group of individuals, or the explicit threat by an individual or group of individuals to use such activities, with the intention to cause harm, further social, ideological, religious, political or similar objectives, or to intimidate any person(s) in furtherance of such objectives. Cyberterrorism does not include any such activities which are part of or in support of any military action, war or warlike operations.
War exclusions have been litigated in courts for decades. To the best of Lockton’s knowledge, no court has considered the exclusion in a cyber policy. Nevertheless, decisions under other policies are instructive with respect to how insurers, and courts, may interpret the exclusion.
U.S. decisions interpreting war exclusions have adopted two different analytical approaches. The first, and older, approach is technical, focusing on whether a specific conflict is a formally declared war. The second approach, which is used by courts today, is to interpret “war” to mean what ordinary people think it means. Courts look at the factual context of a conflict and look for indicia of war such as whether the combatants wore uniforms, the organization of the combatants, and the types of weapons used. Courts also look at the act that caused the loss. In the U.S., this “common meaning” approach is seen as being most consistent with the legal requirement that insurance policies be construed according to the reasonable expectations of the people that buy them.
U.S. courts have provided useful guidance concerning what they believe constitutes “war” in the minds of ordinary people. In Pan American World Airways, Inc. v. Aetna Cas. & Sur. Co.1 (opens a new window) a Pan Am flight was hijacked in the air over London and although the hijackers allowed the passengers off the plane, the plane was destroyed in Cairo with explosives obtained in Beirut. Pan Am made a claim under its all-risk aviation policies. The insurers denied coverage on the basis that war exclusions applied. Pan Am also made a claim under war risk policies. The war risk insurers took the position that coverage was not available because the war exclusions in the all-risk policies did not apply.
The court agreed with the war risk insurers. It found that the war exclusions in the all-risk policies did not apply because “war is a course of hostility engaged in by entities that have at least significant attributes of sovereignty,” and that the hijackers “were the agents of a radical political group, rather than a sovereign government.” The court reasoned that the exclusions did not apply because the hijackers’ acts were criminal rather than military.
More recently, in Merck & Co., Inc., et al. v. ACE American Ins. Co.,2 (opens a new window) the pharmaceutical firm sued its property insurer for losses sustained as a result of a cyberattack. Merck was the victim of the NotPetya malware reportedly launched against Ukraine by parties affiliated with the Russian military. As a result of the attack, Merck’s operations were disrupted globally because it was unable to produce vaccines and fulfil orders for products resulting in losses of $1.4 billion (USD). The insurer denied the claim, arguing that the war exclusion applied because NotPetya, “was an instrument of the Russian Federation as part of its’ ongoing hostilities against the nation of Ukraine.”
The court disagreed. The court decided that the war exclusion did not apply because it did not clearly include cyberattacks. Under those circumstances, Merck, “had every right to anticipate that the exclusion applied only to traditional forms of warfare.”
Cyber insurers will certainly consider whether a cyberattack against targets in Ukraine or Russia triggers a war exclusion in light of these and other court decisions. However, it is important to note that U.S. decisions may have little or no precedential value in other countries. Lockton believes the U.S. courts’ reasoning is sound, and we are hopeful that insurers in other jurisdictions would adopt it when a claim is presented.
An insurer’s analysis of a claim and the war exclusion will be very fact dependent. It is not always easy to establish responsibility for a cyberattack, especially with the anonymity that cyberspace provides. Attribution depends on many different factors that may not be conclusive. The attribution process can take a long time. Insurers therefore may not invoke the exclusion for fear of ending up in expensive litigation with their policyholders that they cannot be highly confident of winning.
We have seen third parties waging cyberattacks against Russia and Ukraine. For example, the hacking group Anonymous has tweeted (opens a new window) that it is engaged in cyber war with Russia. Would a war exclusion apply to an attack by a third party that is sympathetic with one side in the conflict? While the better interpretation should be that the exclusion does not apply because Anonymous is not an entity with “significant attributes of sovereignty,” it remains to be seen what position insurers will take.
A strong argument can be made that a war exclusion is not triggered by cyberattacks affecting parties that are strangers to the conflict and that have done nothing to put themselves in harm’s way. As the Merck (opens a new window)court noted (relying on earlier decisions from the U.S. federal courts and from English courts), the remote consequences of hostilities do not support application of a war risk insurance policy and, by extension, a war exclusion. That reasoning appears to support arguments that a war exclusion does not apply to losses suffered by innocent third parties that are inadvertently damaged by a cyberattack directed against one of the parties to a military conflict.
It bears repeating that the applicability of a war exclusion is extremely dependent on the facts of a particular situation. While strong arguments can be made that a cyberattack in the context of military hostilities does not necessarily trigger a war exclusion in a cyber policy, every conflict, and every claim, is unique. For these reasons, it is not surprising that insurers are taking a wait-and-see approach to evaluating the applicability of the exclusion.
The applicability of war exclusions may change in the future. Insurers have told us that they are reviewing existing exclusions and are considering whether changes are needed.
Preparing for the worst
The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) issued a “Shields Up” (opens a new window) warning in light of the conflict in Ukraine. CISA recommends that “organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets” and complied a catalog of free services (opens a new window)to assist organizations. The United Kingdom’s National Cyber Security Centre has also issued guidance. (opens a new window)
Consistent with the governmental guidance, organizations concerned about attacks against their operations in Russia or Ukraine (opens a new window) or attacks that spread wider and hit operations outside of those countries need to ensure that their cyber hygiene and cyber defenses are as strong as possible. The current conflict is a good opportunity to review whether essential controls are in place. Those include:
Patching software in a timely manner;
Ensuring that strong backup policies and procedures are in place, including testing backups regularly;
Deploying strong detection and response capabilities in house, or through a third party; and
Building in redundancy of critical systems.
Organizations should also review their incident response and business resiliency plans to ensure that they can be implemented quickly and seamlessly if an attack occurs.
There is no way to determine in advance whether a war exclusion in a cyber policy will apply before an attack happens. However, with adequate preparation and knowledge of the facts and concerns that may impact the applicability of the exclusion, organizations will be situated as well as they can be to manage the event and any cyber insurance issues if they materialize.
If your organization is subject to a cyberattack, contact your insurance broker immediately so that your cyber insurers can be notified. The insurers’ involvement from the beginning is essential to ensure access to cyber insurance coverage.
For further information, contact firstname.lastname@example.org.
*This paper borrows from a post on the Lockton Cyber Risk Update Blog. (opens a new window) For more information about the war exclusion, please review that post (opens a new window).