Summary
- Cyber threats: ransomware, phishing, and malware
- Insurance protection from cyber warfare
- Insurance carriers limiting silent cyber coverage and excluding cyber warfare
- Implications for policyholders and insurers
Insurance policies traditionally include exclusions for acts of war, which have been tested through litigation in numerous courts. With the rise of state-sponsored cyber warfare, policyholders and carriers alike must be aware of new issues involving policy interpretation specific to the digital age. As computers become weapons of war and the cloud becomes a new battlefield, insurance carriers are rethinking policy language and drafting additional exclusions in both cyber and non-cyber policies, which may significantly change insurance protections for policyholders.
Cybercriminals threaten companies and individuals through several types of attacks, such as ransomware, phishing, and malware. Cybercriminals use these methods to gain unauthorized access to private material with the intent to defraud, steal, ransom, or destroy confidential data. Other known threats include the use of distributed denial of service attacks, which flood networks with too many requests, rendering them inaccessible.
The COVID-19 pandemic gave rise to an unprecedented amount of cyberattacks as criminals took advantage of network weaknesses to prey upon an increasingly remote workforce. In 2020, malware attacks increased by 358 percent and ransomware attacks increased by 435 percent compared with 2019. Post-pandemic statistics remain alarming. In 2022, cybersecurity experts identified 2.8 billion malware attacks with an average of 8,240 attempts per customer. Ransomware was present in nearly 30 percent of all malware data breaches. In 2022, the number of distributed denial of service attacks grew by 212 percent in the United States. Microsoft revealed more startling statistics in 2022, including an increase in password attacks by 74 percent and 710 million phishing emails blocked per week.
In America, malware infects one in three homes with computers, and at least 47 percent of adults have had their personal information exposed by cybercriminals. Businesses, small and large, continue to become victims of cyberattacks. In 2021, 61 percent of small businesses were the target of cyberattacks. In 2022, global cyberattacks increased by 38 percent, and 83 percent of organizations had more than one data breach in 2022. The year 2022 was the 12th year in a row that the United States had the highest-cost data breaches with an average of $9.44 million—$5.09 million more than the global average. This high-cost risk is concerning for both insurance carriers and policyholders.
Experts have identified many cybercriminals as nation-state actors operating sophisticated attacks that target victims through advanced technological skills. Explaining the current state of cybercrime, Microsoft released a 2022 report indicating that nation-state actors were behind increasingly complex cyberattacks and “[t]he advent of cyberweapon deployment in the hybrid war in Ukraine is the dawn of a new age of conflict.” The Center for Strategic and International Studies has published data revealing a shocking number of state-sponsored cyberattacks with multiple losses of millions of dollars each month. The escalation of these attacks has prompted businesses and insurance companies to question what, precisely, should be included in applicable insurance coverage.
Businesses facing an increased risk of falling victim to cyberattacks must consider what type of insurance coverage is necessary to protect them. Similarly, as cyberattacks increase and cause large value losses, insurance companies must identify coverage gaps that exist in their current policies and reevaluate coverage of these losses. Vulnerable insureds should consider the costs of purchasing stand-alone cyber insurance policies specifically intended to address these types of attacks. Insureds must understand that cyber-specific coverage is different from property coverage and may be necessary to protect them from these types of losses. Currently, policyholders should be particularly aware of a common exclusion included in many policies known as the hostile acts exclusion or war risk exclusion, which carriers have used to deny coverage for some cyberattacks. Insurance carriers should also remain informed about the current state of litigation involving this exclusion and its application to cybercrime because policies, as currently drafted, may unexpectedly provide for “silent cyber” coverage.
Many policies contain exclusions for acts of war, often labeled “Hostile/Warlike Action Exclusion” or “War Exclusion.” This exclusion had not been analyzed by courts in the context of a cyberattack until recently, in a New Jersey decision known as Merck & Co., Inc. v. Ace American Insurance Co. Merck was decided on May 1, 2023, in an appeal from an interlocutory order of the Superior Court of New Jersey, Law Division, in Union County. The opinion concerned a hostile/warlike action exclusion contained in an “all risks” property insurance policy.
Merck arose from an insurance coverage dispute for a $1.4 billion insurance claim related to a cyberattack referred to as NotPetya. Specifically, the court considered whether Merck & Co., Inc., should receive insurance coverage in response to the NotPetya cyberattack, which infected and damaged thousands of Merck’s computers in its global network. Merck operated as a multinational pharmaceutical company based in New Jersey. On June 27, 2017, a malware known as NotPetya infected Merck’s computer and network systems. According to experts, NotPetya was introduced to Merck through a server located in Merck’s Ukraine office that was running a tax software application known as M.E. Doc. The M.E. Doc. application was used by Merck and other companies operating in Ukraine. Cyber consultant Kroll Cyber Security concluded that the NotPetya cyberattack was likely devised by actors working for or on behalf of the Russian Federation. Given the nature of the attack and the connection to the Russian Federation, the defendant insurance carriers relied on the hostile/warlike action exclusion to deny coverage to Merck. This exclusion provided the following:
This policy does not insure against:
Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack:
(a) By any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval, or air forces;
(b) Or by military, naval, or air forces;
(c) Or by an agent of such government, power, authority, or forces[.]
The trial court found that the hostile/warlike action exclusion did not bar coverage for Merck’s loss. In May 2023, the New Jersey Superior Court affirmed the decision of the trial court.
For as long as courts have been adjudicating the issue, various courts have analyzed and developed the hostile/warlike action exclusion in non-cyber-related contexts. The act-of-war doctrine, rooted in insurance law, provides that insurance policies typically exclude coverage for losses that arise from war-related activities. The reasoning behind the doctrine is that insurance policies were not calculated to cover losses for unforeseeable incidents. More recently, some insurance carriers have argued that the act-of-war doctrine should apply in the context of a cyberattack because cyberattacks constitute acts of war and fall outside the scope of coverage.
However, the court in Merck noted that insurance carriers have failed to modify the language of the policy to reasonably place the insured on notice that the policy is intended to exclude cyberattacks. The court found that it was reasonable for Merck to expect that the hostile/warlike action exclusion applied only to traditional forms of warfare. Insurance law scholars have determined that the terms “war” and “hostilities” are terms of art that describe the use of armed forces between rival states. Insurance law scholars have also advised that the U.S. government should refrain from broadening the legal definitions of these terms despite the growing threat of malicious cyber activity.
While the insurance carriers in Merck acknowledged that the word “warlike” may not apply to the NotPetya malware attack, the carriers asserted that the word “hostile” should be interpreted broadly to mean a showing of ill will or a desire to harm. The insurance carriers asserted that any action that reflects the actor’s ill will or a desire to harm should be encompassed in the hostile/warlike risk exclusion if the actor is a government or sovereign power. Despite the insurers’ assertion, the court in Merck held that the hostile/warlike action exclusion requires the involvement of military action. Moreover, the court held that the exclusion does not bar coverage for damages arising out of government conduct motivated by ill will.
Insurance policies have included “war exclusions” for centuries. In a decision known as Diamond Shamrock, the court evaluated coverage under the liability policies issued to Diamond Shamrock, which manufactured the herbicide Agent Orange. The court had to determine whether the policies covered liability for pollution discharges in the United States caused by Diamond Shamrock’s intentional conduct. In addition, the court analyzed whether a war risk exclusion barred coverage for money Diamond Shamrock paid in a class action settlement initiated by Vietnam veterans who were exposed to Agent Orange while stationed in Vietnam.
The Diamond Shamrock decision clarified that the purpose of a war risk exclusion is to relieve an insurer of liability when it is impossible to evaluate the risks, such as the special hazards of war. In addition, the court in Diamond Shamrock reasoned that Agent Orange constituted an instrument of war and that the principal purpose of Agent Orange was to wage war in Vietnam. The court held that the exclusion applied because the occurrence of the injury to the veterans happened outside the United States and the liability of the insured was a consequence of war.
The insurance carrier defendants in Merck claimed that the Diamond Shamrock decision supported their position that the hostile/warlike action exclusion should apply because the Diamond Shamrock decision applied the exclusion to injuries sustained as a result of exposure to Agent Orange, despite the fact that the exclusion did not specifically identify that type of warfare. However, the court in Merck rejected the insurance carriers’ argument, stating that the Diamond Shamrock decision excluded coverage for injuries to military personnel who were actively engaged in a war and who sustained those injuries due to a chemical used for the sole purpose of waging a war.
In another decision, Stanbery v. Aetna Life Insurance Co., a mine explosion resulted in the death of the plaintiff’s husband, who was serving in the U.S. Army in Korea. The plaintiff asserted that the war exclusion did not apply because the conflict did not qualify as a war and was merely a police action. In addition, the plaintiff emphasized that only Congress had the ability to declare war. The court in Stanbery explained that there is distinction between the legalistic, technical construction of the word “war” and the realistic interpretation of the word when used in private contracts or documents. Furthermore, the court reasoned that the conflict in Korea qualified as a war in the ordinary and usual meaning of the word. The ordinary meaning of the word “war” is actual hostilities between the armed forces of two or more nations or states de facto or de jure.
Application of a hostile/warlike action exclusion in the context of cyberattacks presents two serious issues: First, an insurer must determine if the conduct is attributable to a sovereign state; and, second, the insurer must determine if the conduct responsible for the loss qualifies as “warlike.” In International Dairy Engineering Co. v. American Home Assurance Co., the court held that the war exclusion applied because the flare that started a fire responsible for causing property damage was dropped in connection with military operations or in connection with a combat operation against enemy forces.
It is often difficult to identify the perpetrator of a cyberattack. While governments have the greatest advantage in identifying the perpetrator, they may not do so publicly. In addition, governments may disagree and deflect the blame on one another when identifying the source of a cyberattack.
Another major issue arising from a cyberattack is that once a perpetrator is identified, it may be difficult to establish the relationship between the perpetrator and the relevant nation-state. Moreover, the hostile/warlike action exclusion provides little to no guidance as to what level of state involvement is required to attribute a cyber operation to a state. Because the exclusion fails to address these types of coverage questions arising from a cyberattack, carriers are now seeking to revise their policy language to specifically address these issues.
Carriers have been revising policies to avoid “silent cyber,” a term used to describe unintended coverage of cyber claims in non-cyber policies. Now, with the ongoing and significant cyberattacks by state actors, carriers are revising exclusions in cyber and non-cyber polices. The NotPetya cyberattack of 2017 and other cyberattacks, such as WannaCry, are just some of the large-scale cyberattacks that have affected the insurance industry. According to Property Claim Services, an internationally recognized resource for loss data in the insurance industry, the total industry loss from the NotPetya cyberattack has now passed $3 billion, roughly 90 percent of which was silent cyber.
These significant losses and recent coverage decisions surrounding cyberattacks are leading the insurance industry to eradicate unintended coverage of cyber claims in non-cyber policies. As cyberattacks become more prevalent, risks of silent cyber coverage are having an impact on multiple lines of business beyond cyber policies, including commercial general liability, property, business interruption, directors’ and officers’, errors and omissions, and kidnap and ransom policies. In the last few years, Lloyd’s, Allianz, and AIG began implementing policy changes to reduce or eliminate silent cyber exposure. In January 2019, the Prudential Regulatory Authority required insurers to put in place an action plan to reduce unintended cyber exposures.
Lloyd’s, which had previously eliminated silent cyber from all-risk policies like the one at issue in Merck, also narrowed its stand-alone cyber policies post-Merck by adding new exclusions addressing state-backed or nation-state cyberattacks. Specifically, on August 16, 2022, Lloyd’s issued Market Bulletin Ref: Y5381 stating that as of March 31, 2023, Lloyd’s insurers will be required to exclude losses in all cyber insurance policies arising from state-sponsored cyberattacks. The policy changes include:
1. excluding losses arising from a war, whether declared or not;
2. excluding losses arising from state-backed cyberattacks that significantly impair either the ability of a state to function or the security capabilities of a state;
3. clarifying whether the policy excludes losses arising from computer systems located outside any state affected by the state-backed cyberattack; and
4. setting out a basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states.
Lloyd’s Market Association’s (LMA’s) revised cyberwar exclusions, which became effective on March 31, 2023, include the following clauses: LMA5564A and LMA5564B; LMA5565A and LMA5565B; LMA5566A and LMA5566B; and LMA5567A and LMA5567B. These clauses replace the original suite of cyberwar clauses (LMA5564–LMA5567). The “A” versions meet the requirements of Market Bulletin Y5381, while the “B” versions do not address attribution to a state and require prior agreement from Lloyd’s. The most common exclusion now used by Lloyd’s post-Merck is LMA5567A, which does not provide a blanket exclusion for nation-state attacks. Instead, the exclusion applies when there is harm occasioning a “major detrimental impact” to the functioning of the state. The term “major detrimental impact” is intended to articulate the severity of systemic damage required to trigger application of the exclusion.
An additional consideration when developing cyberwar exclusions is a focus on specific language that aids in the interpretation of which types of actions constitute “war” or “armed conflict” and which types of actions might fall outside the scope of these terms. An effective cyberwar exclusion should seek to bar coverage for any cyber operations initiated by parties to an armed conflict. Many critics have argued that these changes leave many questions remaining as to the application of the exclusion.
One approach that insurance carriers have pursued in attempting to address the issues presented by a cyberattack is to soften the cyberwar exclusion by drafting a type of carve-back coverage for “cyberterrorism.” The purpose of this carve-back coverage is to address an attack that affects computer systems not located in the affected states. A standard definition of cyberterrorism would state the following:
Cyberterrorism means the use or threatened use of disruptive activities against the insured’s computer system committed with the intent to further stated social, ideological, religious, economic, or political objectives.
As demonstrated in this example, some insurance carriers believe that the definition should specify the hackers’ objectives for the attack. However, critics have indicated that the term “stated” should be removed from the definition because it will likely be challenging to establish the hackers’ objectives for a cyberattack. The inclusion of the phrase “intend to cause harm” will provide an insured more flexibility in the event of a claim denial or coverage dispute because it will encompass cyberattacks that merely intend to cause harm instead of requiring that an insured establish the stated objective for the cyberattack.
In addition, insurance carriers are considering refining policy language that ensures carve-back coverage for all computer systems affected by a cyberattack. Some policy forms cover only cyberattacks against an insured’s own computer systems. For instance, if a hacker breaches a third-party provider’s systems during a time of war or hostility, which ultimately results in first-party damage to the insured, there is a gap in coverage for the insured. Nonetheless, while some carriers are seeking to provide coverage for all computer systems, other carriers are currently developing war exclusions intended to exclude coverage for any affected computer systems physically located in the impacted state.
While it is evident that insurance carriers are working hard to implement policy changes required to address the coverage issues presented by modern-day cyberattacks, much more work remains to be done.
In the current cyber age, policyholders must identify necessary coverage for potential cyberattacks and be aware of coverage limitations. At the same time, carriers must be specific in identifying intended coverage and exclusions. Recent coverage decisions continue to affect silent cyber coverage and coverage for cyber warfare. In response, insurers continue to make efforts to eliminate the confusion.
Critics have deemed some of these newly implemented policy changes to be confusing, disruptive, and unhelpful, leaving many issues unanswered. For example, brokers have expressed grave concern regarding the development of cyberwar exclusions. Brokers are most concerned over a lack of clarity in cyber exclusions, and they fear that unless specific advice is rendered to clients regarding the type of coverage they are purchasing, there may be conflicting opinions as to how far that coverage extends. There is a strong likelihood that opinions will differ over the reliability of attribution to a state and the time it takes to determine attribution.
While policyholders attempt to navigate the uncertainty of cyberattacks, they should consider several issues. First, if a policyholder experiences a cyberattack, the policyholder should avoid speculating about the identity of the actor responsible for the cyberattack when reporting a claim because this speculation could serve as a basis for a coverage denial. Second, a policyholder should consider hiring a cybersecurity lawyer, aside from any lawyer appointed by the insurance carrier. Third, a policyholder should rely solely on a coverage letter issued by its insurance carrier regarding the coverage available, rather than relying on an assurance from a broker. Fourth, due to the rising threat of cyberattacks, policyholders should begin to carefully review their coverage now, with the assistance of an attorney, to prepare for future coverage issues. Proactive measures by both policyholders and carriers will help limit future implications of this new threat within the insurance industry.