Cyber insurance exclusions: Who pays in an act of Cyberwar?
In the thick of the Russia/Ukraine conflict, Britain’s intelligence agencies have warned government departments to prepare for cyberattacks from Russia, and the National Cyber Security Centre (NCSC) has called on British organisations to "bolster their online defences".
Coinciding with the new cyber insurance ‘war exclusions’, this could be a recipe for disaster for many organisations.
The cyber policy clarity challenge
The surge in ransomware attacks over recent years and the cost of claims have driven up cyber insurance pricing, and underwriters have found themselves under increased pressure to clearly define conditions, whilst many insurers narrowed their coverage.
Language within traditional lines of insurance often did not consider how great a risk cyber posed and the policyholder’s increased exposure, resulting in legal disputes and industry losses.
2017 saw the NotPetya malware outbreak, affecting US-based firms Merck, and Mondelez, who both filed ‘all-risks’ property insurance claims in 2018. These claims were rejected.
Merck sued over 20 re/insurers for $1.4 billion in damages, while Mondelez are still in dispute with their insurance provider, Zurich. In both cases, insurers denied coverage citing the Act of War policy exclusion which came after Russia's military intervention in Ukraine, beginning in 2014. The exclusion clauses describe “hostile or warlike action” by states or their “agents” as reasons to reject a claim.
The Mondelez v. Zurich case is still ongoing. Zurich has cited the “war exclusion” clause in their policy to avoid pay-outs based on official government statements from the U.S., U.K., Canada, and Australia, who attributed the attack to the Russian conflict with Ukraine. This was later confirmed by the Trump administration, and thereafter, Denmark, Latvia, Sweden, and Finland each declared their support for this attribution. Mondelez claimed that their Zurich insurance policy covers “all risk of physical loss or damage to electronic data, programs or software as a result of the malicious introduction of a machine code or instruction”, which is material in their insurance claim. The multinational beverage and snack food company, argue the attack falls within criminal activity, and not an Act of War, in which case the war exclusion clause should not apply.
If Zurich are to pursue their stance, the NotPetya attacks must be proven to be Acts of War.
In the article Summons to Appear: NotPetya and the War Exclusion Clause, Clausewitz’s three essential criteria of war are outlined: violence, means to an end, and political motivation. NotPetya did not result in loss of life or physical injuries. If means is violence or the threat of, and end is to render the enemy defenceless and at their mercy, NotPetya did not render any country defenceless, and so fell short of achieving means to an end. Russia did not communicate their intention during the NotPetya attacks, and so the final criteria of Clausewitz’s definition of war cannot be proven, and some argue the definition is not met. More modern definitions of war suggest that ‘serious economic impact’ could constitute an Act of War, in which case this could apply to the NotPetya attacks.
In the case of the pharmaceutical company, Merck, $1.4 billion was lost in damage incurred as a result of the NotPetya attack, with insurers refusing to pay out based on ‘Act of War’ exclusions. Merck challenged the decision filing for breach of contract, arguing that the exclusion contained language that was limited to the use of armed force, and that “the exclusion applied only to traditional forms of warfare”. The court agreed that Merck maintained a reasonable understanding of this exclusion which involved the use of armed forces, declaring the insurer must update the wording of their policy to give insured’s notice of intention to exclude cyberattacks. It was deemed almost inevitable that Merck would anticipate the exclusions would only apply to traditional, kinetic forms of warfare.
It wasn’t long before Lloyd’s saw a need for tighter exclusions in standalone cyber insurance policies, when in July 2020 they mandated that “all insurance and reinsurance policies written at Lloyd’s must, except in very limited circumstances, contain a clause which excludes all losses caused by war”. This was followed on November 25th, 2021, with the four draft cyberwar exclusions issued by the Lloyd’s Market Association (LMA).
The new cyberwar exclusions
An article in The Stack quotes the LMA’s intentions for the exclusions.
They were “drafted to provide Lloyd’s syndicates and their (re)insureds (and brokers) with options in respect of the level of cover provided for cyber operations between states which are not excluded by the definition of war, cyber war or cyber operations which have a major detrimental impact on a state” noting that underwriters should closely “consider the coverage provided, their outwards reinsurance wording, and the resultant impact on exposures across the portfolio” when deciding which clause to implement. The clauses can be summarised as:
Excludes cover for any losses occurring through or in consequence of war or a cyber operation. The strictest of the four exclusions.
Places sub-limits on pay-outs resulting from cyber operations, but excludes those operations launched in war, in retaliation by specified states, or that cause major detrimental impacts to the functioning of a state.
Provides for the same losses as No. 2, but without specifying coverage limits.
The most generous of the exclusions. In addition to the coverage offered by No. 3, it allows for coverage to bystanding assets (i.e., indirect targets) affected by cyber operations where major detrimental impacts to the functioning of a state apply.
Full details on the four new clauses can be found at the Lloyd’s Market Association Media Centre.
The exclusions outline the definition of war as (14.1) “the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection” but also as (14.2) “military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority”. However, this has prompted concern for cases such as the earlier mentioned NotPetya ‘bystander attacks’, who became indirect targets from a violation aimed at Ukraine. The question is whether LMA syndicates will automatically refuse claims based on the activities of state-backed threat actors. This would depend on which of the four clauses had been implemented. Exclusion No. 4 (LMA5567) states (2.) “Paragraph 1.3 shall not apply to the direct or indirect effect of a cyber operation on a bystanding cyber asset”, with 1.3 stating the exclusion of claims where a cyber operation has a major detrimental impact on the functioning and security of a state. No.4 is the only clause that clearly identifies bystander claimants as being exempt from the exclusion.
Patrick Davison, the LMA's underwriting director, told The Register:
“When we publish those clauses, we describe them as models. They are published as a kind of benchmark, effectively. So [insurers] are free to change them, ignore them, use them as drafted."
He explained that the 2020 guidelines mandate that:
"All insurance and reinsurance policies written at Lloyd's must contain a clause or clauses excluding all losses caused by war and nuclear, chemical, biological, radiological (NCBR) perils."
The idea is that the new clauses vary greatly in their exclusions, with some more restrictive than others.
It is the responsibility of government and thereafter, the insurer, to prove an incident was the result of a cyberwar, war, or cyber operation, and they must also attribute the cyber operation to another state, or those acting on its behalf. If a government does not attribute the crime or takes an unreasonable length of time to do so, the responsibility shifts to the insurer. However, ransomware and cyberattacks by their very nature, are often problematic when it comes to pinpointing the perpetrator's nation, with threat actors often leaving intentionally misleading signs to implicate other cyber-criminal gangs or states.
Discrepancies and complexities
Mastering detective skills is not the only concern for insurers since the introduction of the new cyberwar clauses.
Marsh recently wrote about the new exclusion wordings, and concerns over discrepancies and confusion, citing the Tallinn Manual’s definition of “cyber operation”. The Tallinn Manual is an extensively used tool for shaping policy and a widely used source of information for legal advisors, yet its definition differs from that of the LMA, stating a malicious cyber operation can be defined as an act of cyber warfare in violation of international law. With the publishing of the new exclusions lacking in guidance, and the definitions conflicting with extensively used informational guides, we can expect confusion among Lloyd’s syndicates and market participants.
Work is needed to draft more appropriate Act of War exclusions that perhaps remove the responsibility of choice from brokers and syndicates, lifting the burden of proving attribution from such unclear definitions. Inconsistent coverage and conflicting definitions will inevitably result in cyber insurance confusion and buyer uncertainty. Market participants drafting exclusions for what is still a relatively new form of cover, must have access to guidance backed with insurer consensus.
The UK cyber insurance market is growing at a steady rate, albeit slowly, as businesses recognise the increasing threat.
The market is perhaps witnessing additional focus due to the cyber threat posed by the Russian/Ukraine conflict. Given the potentially increased threat and the uncertainty posed by the new exclusions, it is important for policyholders to be aware of the changing definitions of “war” and “cyber operations” in their cyber insurance wordings. Considering the NotPetya attacks in 2017 and the legal proceedings that followed, there is no doubt (given the court’s ruling) that UK cyber insurers will themselves want to consider whether a cyberattack against targets in Ukraine or Russia would likely trigger a war exclusion, regardless of cross-jurisdiction in these instances.
However, with the weight and uncertainty over proving attribution, could evidence gathered be deemed conclusive, and could the process take too long? It may be that insurers choose not to invoke exclusions by way of avoiding costly litigation when they’ve no real sense of what the outcome will be. In any case, it’s fair to say insurers are taking a wait-and-see approach in evaluating the applicability of the exclusions and only time will reveal whether further changes are needed.
Cyber impact resulting from Russia’s invasion of Ukraine
To assess the likely triggers for these exclusions during the current conflict, STORM Guidance CEO, Neil Hare-Brown has offered insight into the ongoing cyber threat landscape and events accompanying the invasion.
The current complexity and severity of risk in the cyber market has increased pressure on the new exclusions. Hundreds of threat actors on both sides are taking part in cyber offensive activities, creating a huge potential fallout of vulnerable targets, and a thriving opportunity for attacks such as malware to spill over into countries outside of Ukraine and Russia.
We’re seeing an alarming shift in the threat landscape, with cyber-criminal gangs taking sides and the scale for potentially catastrophic disasters (particularly to critical infrastructure such as banks, oil and gas, electricity, shipping, and mobile network operators) has never been higher. Both Ukraine and Russia have adopted a cyber force to aid in attacks against the other (further complicating attribution), and prolific hacking group, Anonymous has joined forces with Ukraine, rivalled by the most successful ransomware group, Conti, who has sided with Russia. As of March 1, 2022, there were at least 33 different cyber threat actor groups actively assisting either Ukraine or Russia.
Industries most likely to see a retaliatory attack are central and local government, banking and financial services, telecommunications companies, utilities, and transport.
Repercussions of invoking the new cyberwar exclusions
If an organisation is hit with a cyberattack of any form, the last thing they’re concerned with is whether the perpetrator is a criminal gang looking to profit from their misfortune, or an act of retaliation from another nation-state.
They simply want their systems restored, data recovered, their reputation intact, and of course, their losses minimised. However, there is every chance in this current climate, that financial losses incurred as a result of an attack will no longer be covered by insurance policies if a cyberwar exclusion applies. Organisations must make efforts to thoroughly understand their policy wordings and exclusions so that if the worst should happen, they’re prepared and knowledgeable during litigation, and able to put evidence forward that proves the clause should not apply. The Merck case is an excellent example of when knowledge of exclusion wordings can persuade the courts in your favour.
If the war in Ukraine escalates to a point where NATO become involved, then companies may not expect to claim for losses incurred if hit by a cyberattack from Russia. Even before any such scenario, any systemic attack may be assumed to be supported by the Russian state, even if it were not. There are significant, real-world implications in the context of a geopolitical conflict, and businesses will see the impact of this cyberwar as it channels across borders. There’s now substantially more onus on businesses to prepare for cyberattacks and understand their cyber risk, as these exclusions call into question any payouts on claims if their systems are breached. Many policies contain reasonable precautions clauses, and so if a threat is known and the policyholder does not apply measures to mitigate this risk, they could potentially be in breach of these conditions. If an exclusion is invoked and substantiated, could they recover the loss of revenue, lost productivity, remediation costs, ransom demands, and legal fees? It could be argued that organisations falling outside of the realms of critical national infrastructure, banking, or healthcare, for example, would be of little interest to state-backed, retaliatory cyberwarfare, and therefore the exclusions would not apply. It may well be the case that they are not necessarily targeted by these threat actors, but organisations cannot rest on their laurels, as some of the new clauses account for bystander attacks and will not pay out on those claims.
STORM works with a number of insurers and brokers, and having developed close relationships and key insights, Neil suggests that concerned insureds (with the assistance of their brokers), should clarify example claims scenarios where their insurers would trigger cyberwar policy exclusions.
Insurers are not unscathed by the introduction of the four new clauses, as an article in Lawfare suggests.
Commentary by cybersecurity and technology policy experts, highlight a negative interpretation of the clauses and that they’d been perceived as a “legalistic trick for insurers to avoid paying claims”. The exclusions appear to diminish adequate cyber coverage, with policyholders left wanting, as their insurers are perceived as playing only a marginal role in managing cyber risk. As noted earlier, a loss of faith in cyber insurance will be to the detriment of insureds and insurers.
Yet, in a more positive light, the changes to cyber insurance will only act as an incentive for brokers, (re)insurers, and the insured to work together in examining the threat landscape and the risk it poses.
With a collective approach to insurance, all parties will see reduced uncertainty, and suitable premiums and cover for the risk. With recognition of the importance of risk management to the foundation of effective cyber insurance, the market should see a more enhanced relevance of insurance to this dynamic risk.
Insurers can play a proactive role in assisting organisations to boost their cyber resilience with a solution that was recently adopted by Aviva. By introducing Cyber3 to their portfolio, they were able to provide policyholders with a comprehensive cyber risk assessment whilst also demonstrating a practical ‘road-map’ to improvement. Clients accessing the service demonstrate their resilience and maturity in the management of cyber risk, putting forward their final report to illustrate the results of their cyber risk management levels, and their current exposures. The benefit to insurers and brokers - particularly during this current transition of incorporating additional clauses - is that the report clearly translates the findings, demonstrating a true insight into the client’s risk profile. Policies containing the new cyberwar exclusions provided by LMA require increased transparency of risk. The Cyber3 assessment addresses this, as it is derived from analysing 15 different insurer proposal forms, and thus created to give a precise analysis of risk and insurability.
The key here is to find a win-win situation for all, that allows insurers to competently price risks and apply appropriate exclusions; and policyholders to understand their vulnerabilities and how to strengthen their defences. With clear communication and transparency of both the risk, and the policy wordings, the insured and the insurer will reap the rewards of appropriate premiums and exclusions, but also the clarity needed in the event of a cyberattack. If organisations take a stance in this uncertain time, to demonstrate an understanding of their responsibility to manage their cyber risk exposure, they could benefit from reduced premiums, policy assurance, and confidence in their cybersecurity during this current conflict.
So rather than asking, if Russia attacks, who pays? Perhaps it would be better to simply ask: if Russia attacks, did we do enough to defend ourselves?