Wonkish: War Exclusions and Cyber Insurance

Coverage for acts of war has been long excluded from insurance coverage. What is changing now is the definition of war, specifically state-sponsored hacking within the context of cyber security. There has been dispute throughout the year over what constitutes war, and now, insurance companies are utilizing the war exclusions for state-sponsored cyberattacks. This concern raises “the possibility that a standard insurance exclusion initially aimed at infrequent, unpredictable crises might now eliminate coverage for acts of sabotage that are ever more frequent and far-reaching.” Who Will Pay the Price for Cyberattacks? - WSJ

There are two major developments in this area. The first is the Merck case. In 2017, Merck and other companies, including Mondalez, were hacked by NotPetya, which was considered to be a Russian state-sponsored cyber attack. Insurance companies tried to deny coverage, arguing it fell under the war exclusion. In December, a New Jersey Court ruled in favor of Merck, reasoning that “war exclusion in the company’s policy didn’t apply to NotPetya because the cyberattack didn’t involve violence, the use of armed forces or any “traditional forms of warfare.” Who Will Pay the Price for Cyberattacks? - WSJ

The Mondelez case is still pending. These cases will impact insurance coverage, especially when policy language is not specific and precise.

The second major development, Lloyds of London had announced that state-backed cyber

attacks will be excluded from stand-alone policies. This bulletin dated Aug. 16, states in part “In particular, the ability of hostile actors to easily disseminate an attack, the ability

for harmful code to spread, and the critical dependency that societies have on their IT

infrastructure, including to operate physical assets, means that losses have the potential to

greatly exceed what the insurance market is able to absorb.” Therefore, companies need to

shore up their defenses against cyber attacks, be able to identify and contain them in real-time and throttle or stop unusual actions.

Companies need to be aware that although the New Jersey court found for Merck, insurance

companies are responding by tightening and specifying their language in the war exclusion

space. It is becoming increasingly clear that insurance companies are willing to litigate the

nature of a cyber breach in an effort to deny coverage. Given the murky origination of cyber

attacks, the C-suite can no longer assume that insurance proceeds will mitigate the financial

impact of a cyber event. Forward-leaning companies are beginning to embark on a Y2K-like

process to ensure that sensitive data is centrally protected across the enterprise. Applications that cannot pass a data protection certification process are being retired in favor of zero trust, rules-based environments that offer better protection and contextual data use.

To learn more about data security & how Manetu can help, request a demo.