Insurers May Not Cover ‘State-Sponsored’ Cyberattacks
Many of the more expensive cyberattacks and ransomware attacks, including the Solar Winds and Colonial Pipeline attacks, have been attributed to Russian hackers, likely working with or for the FSB—an agency of the Russian government. Many cyberinsurance policies contain exclusions for so-called “acts of war”—and insurers reason that cyberattacks constitute such an act of war and, thus, are refusing coverage. When New Jersey-based pharmaceutical giant Merck was hit by the NotPetya malware—at a cost of over $1.4 billion—its insurer balked at paying the claim, arguing that the malware and attack originated from a nation-state actor and, therefore, that the loss was excluded as an act of war. A New Jersey court disagreed, holding that the exclusion for “warlike action” meant actions that looked like kinetic war, not simply cyberattacks motivated by state actors.
In response, major insurers like Lloyds of London are now encouraging cyberinsurers to expand the exclusion for “warlike action” to refuse coverage for cyberattacks that result from state action or state-sponsored action. This is in part because these high-profile and high-impact state-sponsored cyberattacks, including ransomware and data thefts, are so costly to insurers; in fact, the costs of coverage have increased by more than 65%.
It also reflects new methodologies used by hackers, the explosive growth of ransomware fueled by access to cryptocurrency and the use of cyberattacks as an adjunct to kinetic war tools, but principally reflects the interconnectivity and dependence on certain core technologies where an attack on one critical infrastructure can ripple throughout the insured community.
Lloyds indicated that it expects insurers to roll out the more restrictive coverage policies in the first quarter of next year, and for companies seeking coverage, the devil will be in the details. Essentially, a company’s coverage for cyberattacks may depend on the identity of the attacker, the relationships of the attacker, the tools used by the attacker or the motivation of the attacker. An attack by Russian organized crime using tools developed by and used with the tacit approval of the GRU or FSB may be excluded from coverage as state-sponsored. An attack by hackers independent of the government, but motivated by a desire to punish American companies for their support of Ukraine may also be excluded. An attack launched by private hackers that benefits the Russian government or oligarchs working with the government may also be excluded. Indeed, for coverage determinations, it may be important for companies to provide attribution and motivation data to demonstrate that the attack was neither sponsored by, nor approved by some agency or department of a foreign government. In addition, the exclusion may also apply to “quasi-state actors” like factions within governments, opposition parties or rebel groups. Generally, the burden to prove that a claim is covered by an exemption or exclusion lies with the insurer, and much of the scope of the exclusion will depend on the language of the policy and the specifics of the attack, loss and claim.
Don’t expect reduced premiums in return for the reduced coverages. What you might expect is that companies will offer “cyberwar” policies to fill in the coverage gap they have created with the “state-sponsored” exclusion. As the Merck decision demonstrates, the traditional “act of war” or “warlike action” exclusion is relatively narrow and addresses things we traditionally think of as “war.” A hotel in a war zone is bombed. Troops destroy a manufacturing plant in a war zone. An errant explosive takes out a cafe. For an entity seeking coverage, it is almost impossible to determine in advance whether it will be the victim of an attack—whether direct or indirect—by some state actor. This means that the very expensive cyberinsurance policy they just bought provides the same level of protection as the colorful blanket my grandmother knitted. Warm and comfortable, but full of holes.
