Despite your best efforts to prevent it, you get hit by a massive cyberattack. Maybe it’s a data breach; maybe a ransomware attack or maybe a supply chain disruption. You engage a forensics team, work with law enforcement entities and find out that the likely perpetrators were hackers in Russia; possibly working with the Russian government. You file a claim against your comprehensive cyberinsurance policy for the damages, losses and restoration costs covered by the policy. Pretty typical.
But the insurer refuses to pay.
They cite language in your overall property damage insurance policy which excludes from coverage any “hostile or warlike action from any nation-state or their agency.” A data breach or cyberattack is certainly hostile, and the origin of the attack was likely an agent of a nation-state. So, does the language preclude coverage?
War [Exclusions]. Hunh. What Are They Good For?
The war exclusion, like similar exclusions in insurance policies for acts of terrorism and certain acts of God, are intended to divide claims into ordinary claims and risks and extraordinary claims which are not covered by the policy. Extraordinary costs, resulting from extraordinary risks—like war and terrorism—are generally not the subject of insurance, but rather are considered a government problem.
The problem is that most cyberattacks are a hybrid. Russian hackers may be using tools or techniques that are the same as those used by state-sponsored attackers, even when they aren’t working for the state. The truth is, while state-sponsored attacks may be more sophisticated or disruptive, to a victim there is often little difference between a state-sponsored attack and one that is independent of a state actor.
In June of 2017, New Jersey-based pharmaceutical giant Merck was hit with a massive malware attack (a NotPetya attack) which spread to more than 40,000 computers and caused approximately $1.4 billion in losses (including lost revenues). The company had cyberinsurance policies with a number of carriers—including Chubb, AIG, Zurich and Liberty Mutual—and eight reinsurers—including Hannover Re, Munich Re and Generali. Merck had what are called all-risk insurance policies which specifically covered losses resulting from damage or loss of use of computer hardware, software and data. The all-risk policy was a special type of insurance that extended to risks not usually contemplated and that, absent evidence of fraud or misconduct by the insured, presumed that all risks were covered unless expressly excluded.
The NotPetya attack has subsequently been attributed not only to Russian hackers but likely to Russian hackers working with the Russian government. Like more recent attacks, the NotPetya series of attacks appear to have been targeted by the Russian government as part of an overall cyberwar strategy against interests in Ukraine.
On December 6, 2021, the New Jersey Superior Court in Union County held that the language in the insurance policies which excluded from coverage losses or damages caused by “hostile or warlike action in time of peace or war” “by any government or sovereign power or by any authority maintaining or using military, naval or air forces” or by any agent of such government does not apply to cyberattacks, such as that which caused $1.4 billion in losses for Merck.
So was the dissemination of the non-Petya malware a “hostile or warlike action” that would be excluded from coverage, or was it a general risk?
In Merck Co. Inc. et al. v. ACE American Insurance Co. et al., case number UNN L 002682-18, the court examined the history of similar cases in which the “act of war” exclusion was invoked (e.g., hijacking and destruction of a plane by terrorists, death of a Korean war soldier from an exploding mine, destruction of a warehouse in a war zone by flares dropped from a plane, disruptions caused by Hamas firing rockets into Israel, a boat collision during wartime but not caused by war, Holiday Inn Hotel damage in Beirut caused by warring factions) the court concluded that war means … well, war. The court noted that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.” The New Jersey court observed that the language in the policy had been the same for many years—long before there was any threat of cyberattacks and that, if the insurer wanted to exclude cyberattacks by state actors which were motivated by political or military objectives it could have changed the language of the exclusion. “Insurer did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks. Certainly they had the ability to do so.”
While the Merck case is important—particularly for the litigants—there are some clear caveats to be wary of. First, Merck (and the insurers) were relying on old language in a comprehensive all-risk policy, not a specific exclusion in a data breach, cyber risk or similar policy. Had the exclusion been clearer or the policy more directed, a court might find differently. Second, the language in the exclusion in addition to being old was simply vague—and vague language in insurance exclusions are generally read to the advantage of the insured. Third, it’s important to read—and negotiate—the terms of each policy individually. If a cyber policy excludes damages resulting from actions of state actors, what level of proof is necessary to show that the exclusion applies? Must the damage be caused by the actions of the state actor, or as a result of the action (damage caused by an attack versus losses due to cost of investigating an attack) with one being damage and the other being loss. Must the attack be the result of the activities of a nation-state (e.g., people in khaki) or do we look at the motive of independent contractors or hackers? Must there be an agency relationship between the threat actor and the nation-state in order for the exclusion to apply? Do the exclusions apply to the unauthorized acts of agents of the state? To factions? Terrorist groups? Remember, you are buying insurance to cover damages and losses. Exclusions that take away from those coverages should be read narrowly to accomplish some legitimate objective.
The case also represents a recurring trend in cyberinsurance of carriers underwriting and issuing policies, accepting premiums and then often attempting to find a reason not to pay claims, necessitating endless litigation to get paid. Or in other words, the insurance business.
Best advice: Read your policies and understand your risks. And don’t set up your server farm in a war zone.