Wonkish: War Exclusions and Cyber Insurance
Updated: Oct 6
Coverage for acts of war has been long excluded from insurance coverage. What is changing now is the definition of war, specifically state-sponsored hacking within the context of cyber security. There has been dispute throughout the year over what constitutes war, and now, insurance companies are utilizing the war exclusions for state-sponsored cyberattacks. This concern raises “the possibility that a standard insurance exclusion initially aimed at infrequent, unpredictable crises might now eliminate coverage for acts of sabotage that are ever more frequent and far-reaching.” Who Will Pay the Price for Cyberattacks? - WSJ
There are two major developments in this area. The first is the Merck case. In 2017, Merck and other companies, including Mondalez, were hacked by NotPetya, which was considered to be a Russian state-sponsored cyber attack. Insurance companies tried to deny coverage, arguing it fell under the war exclusion. In December, a New Jersey Court ruled in favor of Merck, reasoning that “war exclusion in the company’s policy didn’t apply to NotPetya because the cyberattack didn’t involve violence, the use of armed forces or any “traditional forms of warfare.” Who Will Pay the Price for Cyberattacks? - WSJ
The Mondelez case is still pending. These cases will impact insurance coverage, especially when policy language is not specific and precise.
The second major development, Lloyds of London had announced that state-backed cyber
attacks will be excluded from stand-alone policies. This bulletin dated Aug. 16, states in part “In particular, the ability of hostile actors to easily disseminate an attack, the ability
for harmful code to spread, and the critical dependency that societies have on their IT
infrastructure, including to operate physical assets, means that losses have the potential to
greatly exceed what the insurance market is able to absorb.” Therefore, companies need to
shore up their defenses against cyber attacks, be able to identify and contain them in real-time and throttle or stop unusual actions.
Companies need to be aware that although the New Jersey court found for Merck, insurance
companies are responding by tightening and specifying their language in the war exclusion
space. It is becoming increasingly clear that insurance companies are willing to litigate the
nature of a cyber breach in an effort to deny coverage. Given the murky origination of cyber
attacks, the C-suite can no longer assume that insurance proceeds will mitigate the financial
impact of a cyber event. Forward-leaning companies are beginning to embark on a Y2K-like
process to ensure that sensitive data is centrally protected across the enterprise. Applications that cannot pass a data protection certification process are being retired in favor of zero trust, rules-based environments that offer better protection and contextual data use.
To learn more about data security & how Manetu can help, request a demo.