By: Felton (Mac) Johnston.
In the crucible of claims and losses, insurance underwriters may learn not just how they are doing, but what they are doing. Claims sometimes cast the light of interpretation on new wordings and also on some tried and true language that is upended by a new peril or found wanting when it occurs. Cyber harm is such a peril, and both the standard war risk exclusion and the provisions of a political violence policy that may previously have served the market well may now need to be reconsidered in light of new issues presented by cyber risk.
Anyone paying attention to such matters will be aware of the NotPetya cyber ransomware attack in 2017 that immobilized many companies’ computer systems. The global attack affected enterprises in manufacturing, construction, shipping, pharmaceuticals and other industries, and resulted in aggregate losses estimated in the billions of dollars. One victim, Mondelez International, a food conglomerate, sustained major damage to its servers and laptops. Mondelez brought a claim against its property insurer, Zurich, based on policy coverage for loss due to physical loss or damage to property, electronic data, programs or software, as well as business interruption losses caused by malicious cyber-attacks. The policy had language excluding “hostile or warlike acts” by a sovereign. Zurich has disputed the claim based on that exclusion, relying on a general belief that the attack was state-sponsored, specifically by the Russian government. Mondelez is suing. The heart of the case appears not to be the reality of the sovereign’s involvement but its intent, which arguably could have been commercial or otherwise malicious, but not hostile or warlike.
One does not have to take sides in the Mondelez matter to recognize the implications for everyone who wants coverage against cyber losses and purchases such a policy with a standard war exclusion clause, and for their insurers.
CYBERWAR: MARCHING FROM THE SOUND OF CYBERFIRE
Cyber risk is present in almost every modern endeavor because of the digitization of nearly every enterprise and their resulting vulnerability to malicious cyberattacks and crippling losses. Cyber insurance generally covers extra expense following an attack, liability to third parties for failure to prevent or contain an attack, and possibly property damage resulting from an attack. And as with most insurance, cyber insurance comes with a war risk exclusion, like this one:
“Notwithstanding anything to the contrary contained herein this Policy does not cover Loss or Damage directly or indirectly occasioned by, happening through or in consequence of war, invasion, acts of foreign enemies, hostilities (whether war be declared or not), civil war, rebellion, revolution, insurrection, military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority.”
Such exclusions are a feature of most insurance policies, reflecting the insurance industry’s awareness that modern warfare has the potential to cause unsustainable aggregate losses. Courts have generally viewed “war” as something undertaken by a sovereign, so a war exclusion might not bar coverage if an act cannot clearly be attributed to a sovereign. And even if it can be, the sovereign’s motivation may be another issue.
Just as insureds want protection from cyber war attacks, insurers, particularly cyber insurers and political violence insurers who are exposed to such risks outside their home countries (where their governments may backstop such losses), generally want to avoid liability for such attacks, for the same reasons that insurers resort to war exclusions clauses – the potential for catastrophic aggregate losses, and perhaps because cyber warfare is an evolving threat whose dimensions and potential manifestations are difficult to anticipate.
But the problem for all parties doesn’t end there. Cyberwar isn’t the only cyber hot potato. Cyberterrorism is at least as problematic as cyber war.
CYBERWAR AND CYBERTERRORISM EXCLUSIONS
Terrorism has long been a fact of life for many countries but in the last half century it has become more common, more global, more destructive, and more of a concern for businesses operating domestically or abroad. Most of the insurance market has responded to that concern, as it has to war, by trying to avoid the peril, through modification or clarification of the standard war risk exclusion.
One definition of cyberterrorism is: “the premeditated use of disruptive activities against any computer system or network, or the explicit threat to use such activities, with the intention to cause harm, further social, ideological, religious, political or similar objectives, or to intimidate any person(s) in furtherance of such objectives.”
An approach some insurers have taken to clearly carve out cyberwar risk is to apply a “Government Action” exclusion for losses resulting from “seizure, confiscation, nationalization, breach of security, use, misuse or destruction of a computer system or electronic data by or on behalf of any government, military, enforcement or other public body or authority….” This may deal with cyberwar, but it doesn’t fix the cyberterrorism problem, where no government body may be involved.
One way to carve terrorism (cyber or otherwise) out of a policy is to add any act of terrorism to the litany of excluded events, with an act of terrorism defined thus:
“For the purpose of this endorsement an act of terrorism means an act, including but not limited to the use of force or violence and/or the threat thereof, of any person or group(s) of persons, whether acting alone or on behalf of or in connection with any organization(s) or government(s), committed for political, religious, ideological or similar purposes including the intention to influence any government and/or to put the public, or any section of the public, in fear.”
WAR AND TERROR COVER MAYBE, BUT NOT IN CYBER FORM
That might nail it down for most insurers, including cyber insurers, but political violence insurers, public or private, who explicitly take on war and terrorism perils, have a more-or-less opposite problem. Their policies typically promise to indemnify the insured for “damage to, or destruction of physical assets …. (other than precious metals, gems, works of art, money or documents)…where damage or destruction is directly caused by Political Violence in the Host Country.” Political Violence then may be defined as “a violent act undertaken with the primary intent of achieving a political, ideological or religious objective including by not limited to Willful Destruction, War, Civil War, Revolution, Coup d’Etat, Civil Commotion, Insurrection, Riot, Terrorism, Rebellion, Strike or Sabotage.” Or they may exclude such things as strikes, riots, or civil commotion, depending on the insurer. Business interruption cover may also be available.
To make sure that cyber-terrorism is excluded from policies that otherwise cover war and/or terrorism, wording like the following Lloyd’s CL 380 clause is meant to close that door firmly:
“In no case shall this insurance cover loss, damage, liability, or expense directly or indirectly caused by, or contributed to, by, or arising from, the use or operation, as a means of infliction harm, of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system…”
MORE EASILY SAID THAN DONE
Although wanting to avoid exposure to the novelty and threat of cyber war and cyber terrorism, political violence insurers find doing so may raise certain difficulties.
An awkward problem is that when you add a clarification to a policy, even when preceded by the defensive language “for the avoidance of doubt…” the clarification itself suggests that earlier – and still outstanding – policies could then be assumed to cover the newly excluded risk.
And then there is the matter of competition. Insureds do not like protections to be taken away, and as long as some political violence insurers will offer cyberwar/terrorism cover, or at least don’t say they exclude it, there will be some competitive pressure on others to stay the course.
Some political violence insurers are said to exclude cyber risks with explicit wording while being willing to entertain a buy-back of that protection, at a price.
There is expertise in the matter of cyberwar and cyberterrorism, but that doesn’t mean that cyber risk insurers or political violence insurers yet have a complete understanding of those perils and of the potential interplay between potential events and policy wordings sufficient to enable them to comfortably assume the risks involved. Perhaps some clever underwriters and brokers with expertise in both specialties will come up with solutions to bridge the gap between both market segments in the manner that each can each can live with. But standing in the way of that is the uncertainty that surrounds cyber war and cyber terrorism. There is no substantial actuarial or even very much anecdotal information about cyberwar or cyberterrorism risks that has arisen out of the crucible of losses and claims, and in addition to issues about the source and motivation of cyber events there remains much to be understood about the direct and indirect reverberations of cyber-attacks that lead to losses.