Assessing Cyber Insurers' War Exclusions & Terrorism Carvebacks
Given the recent surge of ransomware attacks and escalating conflict with Russia, assessing a cyber insurance policy’s war/terrorism exclusion has never been more important. The cyber war exclusion, used by insurers to insulate against catastrophic risk, has been a considerable topic of discussion due to its overly broad language and potential for mis-application. Nearly all cyber attacks are in essence, invasions, involving foreign enemies, many of which do inflict terror – this highlights the obvious issue at hand. But will those attacks be construed as excluded acts under a policyholder’s cyber insurance policy? A typical war exclusion may read as follows:
- “Alleging, based upon, arising out of, directly or indirectly caused by, resulting from, or in connection with war (whether declared or not), invasions, hostilities, civil war, strikes or similar labor actions, acts of foreign enemies, terrorism, hijacking, warlike operations, rebellion, revolution, insurrection…”.
It's important to note the extremely broad nature here. The above exclusion lacks any clarifying language specifying that any invasions or hostilities be military (or physical) in nature. Depending on how broadly these terms are interpreted, many outside attacks could be defined as “invasions” or deemed “hijacking”, and politically motivated attacks launched during time of conflict can surely be construed as “acts of foreign enemies”. The preamble itself is also problematic. The exclusion doesn’t just exclude coverage “for” such acts but also precludes claims “indirectly caused by, resulting from, or in connection with” such acts, which gives it significantly greater reach. Should a ransomware gang or hacker group issue a statement condemning actions of the US in relation to any conflicts, any retaliatory attacks could likely be construed as being “connected to, or indirectly caused by” such hostilities, therefore triggering the exclusion. Negotiating the preamble to “based upon or directly caused by” would soften its application, however without the removal of “invasions, hijackings, and acts of foreign enemies”, such an enhancement may only provide little improvement. The Merck decision in which a NJ court ruled traditional war exclusions do NOT apply to cyber attacks, does provide some promise for future interpretations but policyholders should still attempt to soften the language as much as possible and keep an eye out for any amendments on policy renewals which may further broaden its scope.
Lloyds Markets appears to have specifically addressed state sponsored attacks through its introduction of numerous new war exclusions which also preclude or sublimit coverage for “cyber operations”, which can very briefly be interpreted as cyber attacks by or on behalf of a state. While some variants apply the exclusion to any state sponsored attacks, others limit its application to; those carried out specifically in the course of war, certain retaliatory attacks, or those that have significant impacts on the functioning or security of a state. Some of the exclusions further soften the exclusion by carving back coverage for such attacks that affect computers systems not located in “impacted states”. A more common approach taken by many carriers however, is a carve back for “cyber terrorism”. A typical definition of cyber terrorism will read:
- “cyber terrorism means, use or threatened use of disruptive activities against the insured’s computer system committed with the intent to further stated social, ideological, religious, economic, or political objectives”.
As demonstrated above, some definitions specify that the hackers' objectives be “stated”. Since there will likely not be a stated objective and given that any objectives could be difficult (at best) to establish, the term “stated” should be avoided or removed. More favorable policy forms will amend their definition to include such attacks that “intend to cause harm” and acts where it could be reasonably concluded that the malicious actors were motivated by such objectives, both of these amendments provide the insured more breathing room in the event of a claim denial or coverage dispute. Some policies notably omit “economic objectives” from their definition. Since all cyber attacks have economic objectives, in the interest of preserving coverage, the term “economic” should be included within the defined objectives.
To further complicate matters, a number of policy forms contained further carveouts to their cyber terrorism carvebacks, all of which should be avoided when possible, due to their ability to significantly restrict coverage. For example, one such carveout states that cyber terrorism does not include “any activity which is part of or in support of military actions, war, or war-like operations”. Taking the example above, of a ransomware gang or hacker group launching attacks in retaliation for certain actions – this carveout would likely preclude coverage for any resulting attacks, given that they could likely be deemed as being in “support of” such conflicts. The Conti gang's recent announcement calling for attacks on critical infrastructure, in support of the Russian government is one such example. Another similar version precluded attacks that are “committed by, or at the express direction of, a government simultaneously engaged in an active conflict”. Given that cyber attacks can be expected to increase during conflict (particularly state sponsored attacks), such exclusionary language could negate coverage when it is needed most.
When reviewing the exclusions, it's also important to ensure all computer systems are being covered by the carveback. Some policy forms (such as the example we provided above), only “except” cyber terrorist attacks against an insureds’ own computer systems. In the event that a malicious actor breaches a 3rd party providers’ systems during time of war or hostility, resulting in 1st party damages to the insured, this would effectively leave the policyholder without coverage. Some of the newly announced war exclusions being utilized by the Lloyds Market Association take a slightly different approach, excluding any affected computer systems that are physically located in an impacted state. Cyber terrorism carvebacks also differ as they pertain to covered “losses”, with some policies only applying it to 1st party losses (omitting all 3rd party losses), underscoring the importance of ensuring all losses are in fact subject to the carveback.
In light of the above assessment, we would deem the hypothetical following example a favorable carveback:
- Any act, or threat to use disruptive activities (including cyber extortion threats), against a computer system or network, with the intention to harm or intimidate you, or where it can be reasonably concluded that the actors are motived by social, ideological, religious, political, economic, or similar objectives, or to intimidate any person in furtherance of such objectives.
The Ukraine conflict will certainly prove to be the biggest test of cyber insurers’ “war exclusions” which will likely result in considerable language amendments going forward. In the mean time, policyholders should be performing careful policy assessments (particularly around ransomware terms and conditions), negotiating policy language during placements and renewals (especially pertaining to the war exclusion and any carvebacks or amendments), and improving the organization’s cyber posture, proactively strengthening security controls, policies and procedures.