As war rages on, cyber-insurer war exclusion clauses face reckoning
As more state actors engage in cyberwarfare, insurance companies and private businesses are struggling to find common ground on what the "War Exclusion Clause" means for them.
Russia’s invasion of Ukraine is a reminder that modern conflicts can spur cyberthreats well beyond a war’s frontlines.
The Eastern European conflict is already adding stress to already strained domestic relationships in the U.S.—between businesses and cyber insurance companies. As businesses face more cyberthreats than ever before, many are seeing higher premiums. Meanwhile, insurance companies are looking for ways to skirt coverage obligations that end up proving far too expensive. In fact, some providers are losing profit at a high enough rate to leave the marketplace altogether, adding even more pressure on the remaining players.
To be sure, cybersecurity experts don’t see the tension between the two sides easing any time soon. This environment is likely to spur more lawsuits against insurance providers denying coverage. One central focus of litigation is likely to be the “War Exclusion Clause,” which exempts the insurer from covering damages from war-like acts between sovereign entities.
Thomas Bossert, the former Homeland Security adviser to Presidents Donald Trump and George W. Bush, said it is difficult to separate cyberthreats from geopolitical threats in today’s world.
If the question of insurability were viewed through this geopolitical situation, Bossert noted that the immense responsibility of this state-sponsored cyberthreat is then transferred onto the insurance industry, “and I would say that’s not sustainable.”
However, businesses are succeeding in separating acts of war from cyberattacks, forcing insurance companies to pay high amounts in coverage despite their war exclusion clauses. Take, for example, pharmaceutical company Merck’s lawsuit against insurer Aetna, or cookie manufacturer Mondelez’s dispute with insurer Zurich, both regarding the NotPetya ransomware attack.
To be sure, cyber insurance companies aren’t backing down either. The largest global insurance marketplace, Lloyd’s of London, issued a mandate last month that all cyber insurers selling through its platform must rewrite their policies to specify that they will stop selling insurance for cyberattacks sanctioned by government entities—essentially expanding the war exclusion to avoid a Merck-like win that hinged on the ambiguity of whether the NotPetya attack was a “traditional form of warfare,” as per the language in the war exclusion clause.
Sharon Nelson and John Simek, the president and vice president of Sensei Enterprises, respectively, think that most insurance companies are likely watching the fallout from Lloyd’s of London’s mandate carefully. But they also warn that insurers could move quicker given the Russia’s war in Ukraine.
“As Mr. Spock says in ‘Star Trek,’ the best guess is all we have. We thought [the insurance companies] were all going to sit back and see what happened to Lloyd’s of London because there are definitely going to be cases from this that end up in court. But maybe not now if you read what Putin is doing with mobilizing 300,000 reservists,” Nelson said. “So that’s going to scare everybody about state-sponsored cyberattacks because it’s quite obvious there is no physical war without cyber war anymore.”
Simek noted that he sees more cases like Merck and Mondelez “that will play out in court.” And with that long road of litigation, he expects “the language of the [war] exclusion to change with the court decisions.”
Additionally, for law firms and businesses trying to find the right coverage, the situation is getting more complex, and Simek and Nelson stress the use of an insurance broker to help consumers navigate the expensive market.
“Because even with the cost of cyber insurance, they can’t drop their coverage, because the damage from a breach would be catastrophic,” Nelson said. “And again, it is going to be very hard to prove if a particular attack is coming from a particular place or what the attacker’s motivation was even with litigation. So, the industry is in considerable turmoil at this point.”