Surprise! Your cyber-risk insurance may not cover losses resulting from cyberwar. Here are some tips to help ensure you’re getting your money’s worth.
With the prospect of a cyberwar with the Islamic Republic of Iran somewhat looming, there is the prospect that private companies—particularly those in the “critical infrastructures” of banking and finance, telecommunications, transportation, health care and other sectors—may suffer direct or collateral damage as a result of the “tit for tat” that may occur when war turns cyber.
Depending on the motivations, capabilities and precision of the combatants, these cyberattacks may be nothing more than an annoyance, or they may be existential in their impact. Apart from the ordinary questions for businesses about whether these kinds of attacks can be prevented or mitigated, one question for entities potentially impacted would be, “Are they covered?” That is, Do the broad panoply of insurance products including GCL, D&O, data breach and cyber-risk insurance cover these kinds of attacks?
The simple answer is no. And yes. And maybe. In other words, there is no simple answer.
Quite frankly, one of the reasons for the confusion is the fact that we have almost no experience with potentially insured losses resulting from cyberwar. So the first step in deciding if there is coverage is to look at the terms of the policy.
To War, To War, Fredonia’s Going to War
Insurance companies typically insure against what might be called “ordinary” risks: you know—hackers, criminals, crooks, liars, cheats and stupidity. It is not uncommon, however, for even comprehensive insurance policies to have a number of exclusions from coverage. Among these exclusions are coverage for “acts of war”—damages or injuries resulting from acts of war such as invasion, insurrection, revolution, military coup and similar events, and another exclusion may include damages or losses resulting from terrorism. These exclusions may be significant and may cost the insured billions of dollars in coverage that they think they have, but that the insurer is not willing to pay.
This is because it would be unduly expensive (and extensive) to include such claims. Wars typically have battlefields and devastation, and to require insurers to pay claims for things like the bombing of Dresden or the siege of Sarajevo would quickly render them insolvent. As a result, many insurance policies exclude from their coverage claims that relate to “acts of war” (although in some cases you can actually purchase war coverage insurance).
The problem in the cyber arena is, what exactly is an act of war? Do we look at the nature of the threat actor (a nation-state or its proxy) to determine whether the act is an act of war? Do we look at the nature of the attack—kinetic or purely cyber, destructive or merely intrusive—to determine whether it is an act of war? Does it matter if there is a declared war between the nations involved or not? Does the insured’s role in the “war process” make a difference (e.g., a defense contractor whose fighter plane manufacturing center is attacked versus a hospital subject to a cyberattack?
The issue of “act of war” recently arose in a most unlikely setting. Mondelez International is the manufacturer of snack products Nabisco, Oreo, Toblerone, Trident, Cadbury and Tang breakfast drink, the drink of astronauts. In June 2017, Mondelez, like many other companies, fell victim to the NonPetya malware attack that shut down 1,700 of its servers and crippled 24,000 laptops. Mondelez suffered losses from the NonPetya attack that it estimated at over $100 million, and the company filed an insurance claim on its cyber insurance policy with Zurich Insurance. Zurich refused to pay, relying on a clause in the policy that excluded from coverage loss or damage resulting directly or indirectly from “a hostile or warlike action” whether during war or peace, including an attack by any “government or sovereign power, de jure or de facto.”
In February 2018, the White House issued a press release attributing the NonPetya attack to the Russian Military and noted that the attack, which impacted companies all over the world, “was part of the Kremlin’s ongoing effort to destabilize Ukraine” and was “a reckless and indiscriminate cyber-attack (sic) that will be met with international consequences.” The coverage excluded acts that constituted acts of war, including undeclared or civil war and “warlike action by a military force, including action in hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or insurrection, rebellion, revolution, usurped power or action taken by governmental authority in hindering or defending against any of these.” In a sense, the U.S. government, by ascribing both attribution and motive to the NonPetya attack, laid the groundwork for the denial of the claim.
You Must Be On Drugs
Another victim of the NonPetya attack was the New Jersey pharmaceutical giant Merck. Like the snack company, Merck thought it had comprehensive cyber insurance that covered destructive malware attacks. The company filed insurance claims with large and reputable insurers including Chubb Ltd. and Allianz for losses of over $1.3 billion. In its lawsuit against more than 20 insurers, Merck noted that the NonPetya malware “involved the destruction, distortion or corruption of its computer data, coding, program or software resulting from malware presented as ransomware,” which “led to extensive disruption of Merck’s worldwide operations” and adversely affected Merck’s sales. These insurers similarly denied Merck’s coverage on the grounds that the NonPetya malware was an act of war by Russia against Ukraine, and that the damage to Merck was collateral damage. No coverage for you!
On the other hand, when Sony Pictures was hacked by the North Korean government, in a state-sponsored attack that caused the movie studio over $100 million in damage and loss, its CEO Michael Lynton reported that the costs associated with the cyberattack were completely covered by insurance, although it was not clear whether the movie studio included in its calculation of “loss” the costs of production of the movie, “The Interview,” which could not be publicly released due to fear of reprisal by the government in Pyongyang.
So what makes something an “act of war” for which cyber insurance provides no coverage? Is it the nature of the actor? If the act is an official act of a sovereign nation, is this act then not covered? That would make the Kremlin’s acts in the NonPetya case an act of war against Merck. When, in 1970, PanAm flight 83 was hijacked by agents of the Popular Front for the Liberation of Palestine (PFLP) and later blown up on the ground in Cairo, a court in New York rejected the “act of war” exclusion that the insurance company attempted to invoke on the grounds that the PFLP was not “sovereign” and that while their actions were clearly hostile and politically motivated, they were not “warlike.” On the other hand, when the State of Israel went to “war” with Hamas, causing the television series “Dig” to be relocated, the costs of the relocation were covered despite the insurers’ claim that this was not an “act of war” because Hamas was not a government.
War or Terrorism?
Further complicating the matter is the fact that the United States has designated both the Iranian Quds forces and the Islamic Revolutionary Guard Corps as “terrorist” organizations. If a policy excludes both acts of war and acts of terrorism, the U.S. government’s TRIP (Terrorism Risk Insurance Program) created in the wake of the Sept. 11 attacks provides an alternative method of insurance for terrorist attacks. So not only do you have to figure out whether the malware you downloaded was from a state actor, but whether that actor was acting as a warrior (in which case you are out of luck), a terrorist (in which case you may have government insurance) or a non-state actor (in which case your regular policy may cover you).
War, Hunh, Yeah, What is it Good For?
When we think of “war” we think of people in khaki with scary guns crossing a battlefield with explosions all around (yes, I just saw “1917“). But cyberspace may be the new battlefield, and the aggressors may not all be state actors. In resolving insurance coverage in general, and exclusions in particular, courts tend to read coverage broadly and exclusions narrowly in favor of coverage. But when an agent of a nation-state acts with the authority of that nation-state and engages in an act of aggression against a target, isn’t that an “act of war?” So here are a few tips for entities purchasing cyber insurance if they really want to make sure that they have the coverage that they think they have.
First, negotiate the removal of the exclusion. I’m not sure that an “act of war” exclusion applies to DDoS, ransomware or other kinds of cyberattacks as a matter of public policy. In fact, it is precisely these kinds of attacks that the insured is buying insurance to cover.
Second, if the insurer won’t outright remove the language, define it clearly. Limit it to actions formally attributed to sovereign nations in pursuance of a declared war or invasion, or something like that. Make sure that, to rely on the exclusion, the insurer has to prove actual war, actual attribution, actual attack, actual motive and other things like that.
Third, distinguish regular warfare from irregular warfare, terrorism and collateral damage. The NonPetya case is an example: The victims including Merck and the candy company were not targets of the act of war. One “feature” of cyberwar is the fact that the attacks may not be able to be contained. The same malware that attacks the Ukrainian government may also attack your Oreo cookies. If you can, you want to limit the exclusion to acts of war that target you and cause “intended” damage by a sovereign nation.
The time to discuss what type of insurance you have and what is and is not covered is not when you file a claim; it’s when you buy a policy. So have knowledgeable insurance and risk people meet with your CISO or other cyber professionals to hash out the scope of coverage and exclusions before you file a claim. Finally, the U.S. government should step up and provide the same kind of “backstop” insurance for war-related cyber-risk that it currently does for terrorist attacks. And that would require the U.S. House, the U.S. Senate and the president to work together toward a common objective. And to do that, it might take an act of war.