Does your policy cover acts of cyber terrorism or cyber warfare?
Many policies cover cyber terrorism, but might not cover cyber events that arise out of war.
The Middle East and Ukrainian conflicts are likely to play out with a focused intensity in the cyber arena. Increased instances of intelligence hacking, grid and telecommunications disruptions, and malware attacks may escalate into state-sponsored cyberattacks and possibly full-blown cyber warfare that could affect your firm.
There was a 38% increase in global cyberattacks in 2022 alone, according to Check Point Research. With this in mind, firms should have a heightened awareness, as to whether its cyber liability insurance policy would provide coverage in the event of a cyberattack that arises directly or indirectly as a result of terrorism, war, acts of war or warlike activities.
A state-sponsored cyberattack may not be covered and/or may limit a firm’s ability to rely on its cyber liability insurance policy for damages and losses in the aftermath of a cyberattack. Whether or not a firm is covered is dependent on the wording of the firm’s policy and if it excludes acts of cyberterrorism and/or for war.
Historically, war exclusions were limited to cyberattacks arising out of a declared war by a government. However, the identity of a hacker — and whether or not the bad actor is backed by a government — is often not known when a cyberattack occurs.
A rising number of cyberattacks do not involve military action but are instead sophisticated events that may impact the availability of cloud or infrastructure services. An example of this was the NotPetya malware attack in 2017 that was linked to the Russian government and caused cyber damage around the world. The NotPetya attack cost insurers billions of dollars. As a result, some insurers began to rewrite the war exclusion on the cyber liability policies to further limit their liabilities.
The specifics of any cyber terrorism or war exclusion clauses vary between insurance policies. Many policies cover cyber terrorism, but do not cover cyber events that arise out of war. Cyber terrorism, for example, is often defined in the policy as, “the premeditated use of disruptive activities against an insured entity or its extended network.” It is also described in the policy as an explicit threat to use premeditated disruptive activities with the intention to cause harm; further social ideological, religious, political or other similar objectives; or to intimidate any person or entity in the furtherance of such objectives. Again, many policies cover cyber terrorism, whereas they do not cover cyber events that arise out of war.
The war exclusion is intended to fully preclude coverage for losses directly caused by warfare, hostilities, invasion, rebellion, insurrection or revolution. War is often defined in the policy as any conflict declared or not declared, whether civil or international in nature. Of note, if war exclusions are too broad, they often encompass acts of cyber terrorism.
Some Lloyd’s of London insurers are adopting more extensive exclusionary language that would limit coverage regardless of whether war was declared by a government. This would further limit a firm’s recovery for losses resulting from downstream impacts of a cyber event guided by a government. Per the Lloyd’s Market bulletin Y5381, “if not managed properly … [war related cyber] … losses have the potential to greatly exceed what the insurance market is able to absorb. As of March 2023, Lloyd’s of London is now requiring any Lloyd’s-issued cyber liability policy to have a state-backed cyberattack exclusion that, at the minimum:
- Ensure all key terms are defined clearly.
- Exclude any losses arising from a war (declared or not declared) if the policy does not already have a separate war exclusion.
- Provide clarity as to whether the policy excludes computer systems that are located outside any state that is affected by war or by a state-backed cyberattack, and exclude losses arising from state-backed cyberattacks that significantly impair either the security capabilities of a state or the ability of a state to function.
- Provide the basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states.
In conclusion, the cyber terrorism and war clauses in a company’s cyber liability policy will help insurers manage risks associated with potential damages resulting from war or acts of war. By the same token, it’s important for firms to carefully review policy terms and conditions to understand the extent of coverage provided. If in doubt, consulting with an insurance professional can provide further guidance and ensure proper coverage for cyber-related risks.
Eileen Garczynski is a senior vice president and equity partner of Ames & Gough. With over 30 years of insurance and legal experience, she leads the law firm initiative, focusing on the risk management and insurance needs of law firms. She is also a liaison to and former appointed member of the American Bar Association’s (ABA) Standing Committee on Lawyers’ Professional Liability and the former vice chair of the Insurance & Risk Management Committee for the Section of Intellectual Property Law of the ABA. She is a regular speaker at industry and bar-related events and a frequent writer of industry-related publications.
Opinions expressed here are the author’s own.
Related: