German bombs battered Guernica in the spring of 1937. Amid Spain’s brutal civil war, the Luftwaffe demolished more than seventy percent of the town’s buildings in less than three hours. They took countless lives too. No one had envisioned the day that bombers could flatten an entire town in a single afternoon. Property insurers certainly hadn’t. They soon realised it wouldn’t take many Guernicas to wipe out the balance sheets. They responded by adding exclusions to policies for acts of war – a move reflected in contracts to this day.
Now insurers are moving to address war again. This time the concern is cyber war – specifically, attacks so catastrophic that they cripple a nation’s ability to function. Lloyd’s of London have mandated the exclusion of such scenarios from March 31st of this year. Some in the market are resisting the move.
Insurance brokers are suspicious when new exclusions appear. And rightly so; they usually signal a reduction in cover for policyholders. They present problems for brokers when clients discover they don’t have the cover they thought they did.
Misrepresented
But that’s not what’s happening here. The Lloyd’s mandate has been consistently misrepresented as a requirement to exclude all nation state attacks. This is simply not true. Cyber policies will cover nation state attacks as they have always done.
The requirement is to exclude attacks that are so catastrophic in nature that they destroy a nation’s ability to function. Think the digital equivalent of a nuclear strike. This remotest of possibilities, like a nuclear strike, is not one that insurers can cover as standard. Which is why existing war exclusions already exclude it. New cyber war exclusions will merely clarify that position.
The accepted definition of war has expanded. Mainstream global security organisations now accept that modern war includes cyber-attacks. Article 2 (4) of the United Nations Charter prohibits the threat or use of force by one state against another. This applies to nation state conduct in cyberspace. While armed attack is still considered the most serious use of force, cyber-attacks fall under this definition too. In 2019, NATO, the world’s largest military alliance, confirmed this. Secretary General Jens Stoltenberg announced that a “serious cyber-attack could trigger article 5”, a reference to the collective self-defence clause at the heart of NATO’s founding treaty.
This position is also backed by national governments. A policy paper published in June 2021 confirmed the UK’s stance that “an operation carried out by cyber-means may constitute an armed attack”. And as far back as 2011 the United States made clear their right to respond to cyber-attacks with military force. Today, America’s US cyber command sits alongside its army, navy, and air force within the Department of Defence.
War means war
From an insurance perspective, this means that traditional war exclusions now apply to a wide range of cyber scenarios. These exclusions are broad in scope. They exclude cover for everything from “war” and “insurrection” to “military action, whether war is declared or not”. Most do not specify that excluded acts of war must be physical in nature. This means that all these excluded terms can now extend to cyber-attacks. As the definition of war itself gets broader, so too does the scope of traditional war exclusions.
Policyholder concern should not end there. Traditional war exclusions also have no minimum impact threshold. If a cyber-attack fits into one of the many broad terms used to define “war” then insurers can reach for the exclusion. Regardless of how big or how serious the attack was. They also don’t specify where “war” must be happening. A cyber act of war against one nation could affect victims in other nations. But traditional war exclusions do not discern between intended and unintended targets. This allows even broader application of the exclusion.
Some companies have discovered this the hard way. Russia’s 2017 malware attack, NotPetya, targeted Ukraine but then spread to infect companies around the world. One of the victims, Merck & Co, a US pharmaceutical company, tried to claim $1.4 billion worth of losses from their insurer after the malware destroyed large parts of their network. They were claiming under a property policy, but one which included cover for data destruction. Insurers declined cover using the traditional war exclusion. Merck sued for damages and while a New Jersey trial court has initially found in their favour, that decision is currently being appealed by insurers.
Merck weren’t the only ones facing uncertainty. Mondelez, a US food and beverage giant, also suffered from NotPetya, submitting a $100m claim. Insurers denied the claim, again citing the traditional war exclusion. Mondelez had to endure a multi-year legal battle before settling out of court for an undisclosed sum.
The problem – especially for small businesses who can’t afford to take their insurer to court – is the broad definition of ‘war’ in policies. The language is generic and unspecific which means that insurers can opt to use it in a very wide range of situations.
The problem – especially for small businesses who can’t afford to take their insurer to court – is the broad definition of ‘war’ in policies. The language is generic and unspecific which means that insurers can opt to use it in a very wide range of situations. NotPetya was not an attack directed at the US. Nor did it have a major detrimental impact on the US. So American companies, like Merck and Mondelez, should have had clear, unambiguous cover. Instead, broad traditional war exclusions in both standalone and package cyber policies mean customers are at the mercy of whatever their insurer decides.
Get specific
This is why we need change. It is in the interests of brokers and their customers that cyber war is specifically – and narrowly – defined so that coverage is crystal clear. New definitions of cyber war should include three things – that traditional war exclusions don’t – to make their intent explicit.
First, they need a very high impact threshold before the exclusion triggers. The exclusion should not come into play unless a targeted state suffers a major detrimental impact on its ability to function. This will ensure that there is no scope for policies to exclude nation state attacks which fall short of true acts of cyber war. Traditional war exclusions do not have minimum impact thresholds. They can currently apply to attacks that are not serious enough to have any major impact on a state. Specific cyber war language here narrows the scope of the war exclusion. This broadens cover for policyholders.
Second, any assets outside the impacted state should be explicitly covered. NotPetya saw organisations outside Ukraine get hit when the malware spread. Most were in countries that did not suffer a major detrimental impact. But they could still be subject to traditional war exclusions which do not discern between the location of victims. Merck are discovering this the hard way. A definition of cyber war which expressly covers assets outside the impacted state removes this problem for policyholders.
One of the main criticisms of attempts to define cyber war is the murky world of attribution – the process of proving who was ultimately responsible for a cyber-attack.
Finally, cyber-attacks should only be considered acts of cyber war when clearly perpetrated or sponsored by another nation state. One of the main criticisms of attempts to define cyber war is the murky world of attribution – the process of proving who was ultimately responsible for a cyber-attack. This criticism is valid. Attribution exercises for individual attacks are lengthy and difficult. Their conclusions are also influenced by political motivations.
But they are not needed. The sky-high impact threshold needed to trigger the definition of cyber war will mean that only a nation state can have perpetrated the attack. The impact on the target state will be immediate and obvious, making it quick and easy to decide whether an exclusion using this language comes into play.
As with Guernica, the nature of warfare has changed, and the insurance industry is moving to keep up. But unlike the original war exclusion it is moving to clarify cover rather than remove it. Done correctly, cyber events will become subject to narrowly defined cyber war exclusions instead of broadly defined traditional ones. The result is a broader policy for customers. They will benefit from a much smaller set of extreme scenarios in which the war exclusion is applicable – scenarios that we hope to never face.
Those left subject to traditional war exclusions should seek absolute clarity on when they apply. Because they may end up fighting their own battles over how far that definition of war extends.
You can read the original article on LinkedIn.
To hear more about the CFC cyber war policy update, catch our upcoming webinar with live Q&A on Thursday, June 1, 9 AM PCT | 12 PM EDT