Hot Topics
Cyberlaw Cybersecurity Data Security Featured Governance, Risk & Compliance Incident Response Malware News Security Boulevard (Original) Spotlight 

War, Hunh. Yeah. What is it Good For? Reducing Insurer Liability for Cyberattacks

Avatar photo by Mark Rasch on May 15, 2023

A New Jersey court recently ruled that an insurer was not relieved from its obligation to pay for Merck’s losses after a Russian NotPetya cyberattack. The insurer claimed its ‘Act of War’ exclusion applied to the company’s cyberinsurance policy; the court disagreed.

The rise of cyberattacks has led to a significant increase in the demand for cyberinsurance policies. However, the insurance industry is struggling to keep pace with the ever-evolving threat landscape, which has resulted in a new challenge: Insurers are attempting to use the “act of war” doctrine to refuse to pay claims of insured when the attacks that give rise to the claims are perpetrated by state actors or by other belligerents.

On May 1, 2023, the New Jersey Superior Court Appellate Division issued a ruling in the case of pharmaceutical giant Merck, hit by a NotPetya attack that the U.S. government attributed to the Russian government. Merck suffered almost $700 million in losses resulting from the attack and filed claims with various cyberinsurers, each of which had coverage exclusions that excluded “hostile” or “warlike” actions. Based on these exclusions—and the government’s determination that the attacks came from a hostile foreign government—the insurers refused to pay the claims.

The New Jersey appellate court found that the insurers had failed to demonstrate that the attack was a warlike action and affirmed the lower court’s finding that the insurance companies had to pay.

Act of War Doctrine

The act of war doctrine is a legal concept that has its roots in insurance law. The doctrine states that insurance policies generally exclude coverage for losses that arise from war-related activities. The rationale behind this is that insurance policies are not intended to cover losses that result from events that are beyond the control of the policyholder or the insurer. Rather, they are intended to cover losses that are the result of fortuitous events, such as accidents or unforeseen events. Typically, the doctrine has been used to refuse claims when factories in combat zones are bombed or destroyed or other “kinetic” attacks on infrastructure occur.

In the context of cyberinsurance, the act of war doctrine has been invoked by insurers to argue that losses arising from cyberattacks perpetrated by state actors or other belligerents are not covered under the policy. Insurers argue that such attacks are akin to acts of war and, as such, fall outside the scope of the policy’s coverage.

Exclusionary Language in Cyberinsurance Policies

Cyberinsurance policies typically contain a number of exclusions that limit the scope of coverage. One of the most common exclusions found in cyberinsurance policies is the act of war exclusion. This exclusion typically states that losses arising from acts of war or war-related activities are not covered under the policy.

For example, the Hiscox CyberClear policy, one of the most popular cyberinsurance policies in the market, contains an exclusion that states:

“We will not pay for loss or damage caused by or resulting from an act of war, declared or undeclared, or any act of terrorism.”

Similarly, the AIG CyberEdge policy contains an exclusion that states:

“This Policy does not insure against any Loss arising out of, directly or indirectly resulting from or caused by any of the following:

War (whether declared or not), invasion, act of foreign enemy, hostilities, civil war, rebellion, revolution, insurrection, military or usurped power, or confiscation or nationalization or requisition or destruction of or damage to property by or under the order of any government or public or local authority.”

In the Merck case, the exclusion stated:

“[t]his policy does not insure” against:
Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack:
(a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval, or air forces;
(b) or by military, naval, or air forces;
(c) or by an agent of such government, power, authority, or forces[.]”

These exclusions are designed to limit the scope of coverage and to ensure that policyholders understand that losses arising from acts of war or war-related activities are not covered under the policy.

Rise of Cyberattacks by State Actors

According to the U.S. government, the number of cyberattacks by state actors has increased significantly in recent years. In 2020, the Cybersecurity and Infrastructure Security Agency (CISA) reported that it had responded to a record number of incidents involving state-sponsored cyberthreat actors.

One example of such an attack was the 2017 WannaCry ransomware attack, which was widely attributed to North Korea. The attack affected more than 200,000 computers in 150 countries and caused an estimated $4 billion in damages.

Another example was the 2014 Sony Pictures hack, which also was widely attributed to North Korea. The attack resulted in the theft of confidential information, including employee data and unreleased movies and caused an estimated $100 million in damages.

Merck and NotPetya: Cases of Insurers’ Attempts to Exclude Coverage

In the Merck case, the insurers attempted to rely on the “hostile” or “warlike” exception to coverage, noting that the attack came through a Ukrainian provider, was likely launched by the Russian government and was likely done as an act of war by the Russian government. Nevertheless, the lower court found that the broad exclusionary language did not apply to cyberattacks, noting:

“The evidence suggests that the language used in these policies has been virtually the same for many years. It is also self-evident, of course, that both parties to this contract are aware that cyberattacks of various forms, sometimes from private sources and sometimes from nation-states[,]have become more common. Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks. Certainly they had the ability to do so. Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”

The insurers, obviously, disagree. They noted that the language clearly excluded attacks that were either warlike or hostile. The NotPetya attack by a foreign sovereign nation was clearly “hostile.” Here, the court notes that the exclusion is not for government actions but for actions of hostile “military” entities, noting, “The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action” Indeed, the group most likely responsible for the NotPetya attack was APT29 or Cozy Bear, which is a department of Russia’s Foreign Intelligence Service, not its ministry of defense.

The use of the act of war doctrine by insurers to exclude coverage for losses arising from cyberattacks perpetrated by state actors or other belligerents has led to a number of legal disputes. In some cases, insurers have attempted to deny coverage for such losses, while in others, policyholders have challenged the applicability of the act of war exclusion.

One such case was the Mondelez International v. Zurich American Insurance Company lawsuit. Mondelez, a global food and beverage company, suffered a significant cyberattack in 2017 that was widely attributed to Russia. The attack caused widespread disruption to Mondelez’s computer systems and resulted in the loss of millions of dollars in revenue.

Mondelez filed a claim with its insurer, Zurich American Insurance Company, seeking coverage under its property policy. However, Zurich denied the claim, citing the act of war exclusion in the policy. Zurich argued that the attack was an act of war, and therefore, the policy did not cover the resulting losses.

Mondelez subsequently filed a lawsuit against Zurich, alleging breach of contract and bad faith. Mondelez argued that the act of war exclusion did not apply to the cyberattack, as it was not a traditional act of war. Mondelez also argued that Zurich had acted in bad faith by denying the claim without conducting a proper investigation.

The case went to trial in 2019, and the court ultimately ruled in favor of Mondelez. The court held that the act of war exclusion did not apply to the cyberattack, as it was not a traditional act of war. The court also found that Zurich had acted in bad faith by denying the claim without conducting a proper investigation. The parties ultimately settled the claim in October 2022.

The Mondelez case is just one example of the challenges that policyholders face in obtaining coverage for losses arising from cyberattacks perpetrated by state actors or other belligerents. The use of the act of war exclusion by insurers has resulted in a number of legal disputes, with policyholders often challenging the applicability of the exclusion.

The rise of cyberattacks by state actors and other belligerents has presented a significant challenge for the cyberinsurance industry. Insurers are struggling to keep pace with the ever-evolving threat landscape, and the use of the act of war doctrine to exclude coverage for losses arising from cyberattacks perpetrated by state actors has led to a number of legal disputes.

While the act of war exclusion is a common feature of cyberinsurance policies, its applicability to cyberattacks perpetrated by state actors is still a matter of debate. The Mondelez case is just one example of the challenges that policyholders face in obtaining coverage for such losses.

As the threat landscape continues to evolve, it is likely that insurers will need to revisit their policies and exclusions to ensure that they are keeping pace with the latest risks. It is also likely that the courts will continue to be called upon to adjudicate disputes between policyholders and insurers over the scope of coverage under cyber insurance policies.

What Insured Entities Can Do

While the use of the act of war exclusion by insurers to deny coverage for losses arising from cyberattacks perpetrated by state actors or other belligerents presents a significant challenge for insureds, there are steps that insureds can take to ensure that they have coverage for such losses.

Review Your Policy Carefully

The first step in ensuring that you have coverage for losses arising from cyberattacks is to review your cyberinsurance policy carefully. Look for any exclusions or limitations that may affect your coverage, including the act of war exclusion. Make sure that you understand the scope of your coverage and any limitations that may apply. The Merck court faulted the exclusionary language as being ultimately too broad and not tailored to specific state-sponsored cyberattacks. You can expect insurers to add more specific exclusions based on the identity or motivation of the threat actors or the tools used. That’s why it’s important to read the policy and exclusions carefully.

Consider Buying Separate Coverage for Acts of War

If you are concerned about the applicability of the act of war exclusion, you may want to consider purchasing separate coverage for acts of war. Some insurers offer policies that specifically cover losses arising from acts of war, including cyberattacks. While this type of coverage may be more expensive, it may provide you with greater peace of mind in the event of a loss. If you go that route, make sure that the new coverage actually fills the gap provided by the exclusion. For example, if the exclusion excludes coverage for attacks by any foreign sovereign and your “act of war” policy covers only attacks by military agencies, you may have a gap in coverage.

Consider the Specific Threats to Your Business

The specific threats to your business will depend on a number of factors, including the industry in which you operate, the types of data that you handle and your geographic location. Consider the specific threats that your business may face and make sure that your cyberinsurance policy provides coverage for those threats. For example, if you operate in a region where state-sponsored cyberattacks are common, you may want to ensure that your policy provides coverage for losses arising from such attacks.

Look to Second or Third Party Coverage

Often attacks come through third parties—cloud providers, partners, etc. If your coverage excludes certain hostile acts, theirs may not have such an exclusion. Thus, if they have coverage for losses to third parties (you) then you may file an action against the responsible third party, who would then seek coverage from their own insurer. You can require third parties with whom you conduct business or to whom you give access to your data or network to maintain adequate insurance policies for certain cyber-related losses. This might not have worked for a company like Merck, which suffered hundreds of millions of dollars of losses within minutes of the attack.

Work with Your Broker or Agent

Your broker or agent can be a valuable resource in helping you to understand your cyberinsurance policy and the specific threats to your business. Work with your broker or agent to identify any gaps in your coverage and to find solutions that can help you to mitigate those risks.

Implement Strong Cybersecurity Measures

One of the best ways to protect your business from cyberattacks is to implement strong cybersecurity measures. This includes measures such as employee training, network segmentation, access controls and regular vulnerability assessments. By implementing strong cybersecurity measures, you can reduce the likelihood of a successful cyberattack and minimize the potential damage if an attack does occur.

Conclusion

While the use of the act of war exclusion by insurers to deny coverage for losses arising from cyberattacks perpetrated by state actors or other belligerents presents a significant challenge for insureds, there are steps that insureds can take to ensure that they have coverage for such losses. By reviewing your policy carefully, considering separate coverage for acts of war, considering the specific threats to your business, working with your broker or agent and implementing strong cybersecurity measures, you can reduce your risk and ensure that you are prepared for the worst-case scenario. Remember, this means war!

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark