This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Wars can cause widespread devastation and emotional turmoil among affected communities. These conflicts may also result in significant losses for impacted businesses. Yet, securing adequate insurance coverage for damages stemming from acts of war could prove particularly challenging. In fact, war exclusions are commonly found within commercial insurance policies. Although these exclusions are fact-specific and often vary between policies and insurers, they generally state that damages from “hostile or warlike actions” by a nation-state or its agents won’t receive coverage. Such exclusions were created to help protect insurers against potentially systemic losses that may arise amid attacks by governments, their militaries or associated groups.
Cyber insurance policies are no exception to war exclusions. However, the rise of nation-state cyberattacks and the increased instances of international cyberthreats have posed questions regarding how these exclusions should be interpreted in the realm of digital warfare. Additionally, recent court cases and insurance industry adjustments have both broadened and narrowed the scope of war exclusions, thus further muddying the waters for policyholders.
Considering the continued expansion of digital exposures, the complexities of cyber coverage and the evolving policy language surrounding war exclusions, businesses must think proactively when evaluating their insurance programs for proper protection against cyberwarfare. This article provides more information on war exclusion developments and related cyber insurance implications, as well as best practices businesses can use to better safeguard themselves against nation-state cyberattacks.
Court Case Developments
In recent years, court cases regarding insurance claims filed for damages resulting from the 2017 NotPetya cyber incident have narrowed war exclusions as they pertain to digital warfare. Specifically, a New Jersey trial court’s 2021 ruling in the case of Merck & Co. v. ACE American Insurance Co. determined the insured’s “all-risk” property policy should provide coverage for damages caused by the alleged nation-state incident, highlighting that the policy’s war exclusion failed to include language on digital warfare.
The NotPetya incident involved a series of global ransomware attacks that targeted thousands of systems and hundreds of companies across several countries, costing billions of dollars in damages. The majority of the attacks occurred in Ukraine shortly before the country’s Constitution Day, leading cybersecurity experts to believe the incident was a politically motivated event perpetuated by the Russian government. In addition to Ukraine, affected countries included France, Italy, Poland, Germany, the United Kingdom and the United States.
Merck & Co., a U.S. pharmaceutical company, was among the companies impacted by the incident. The company reported damages to nearly 40,000 of its computers, totaling $1.4 billion in overall losses. Although the company’s $1.75 billion all-risk property insurance policy offered coverage for damages resulting from the destruction or corruption of computer data and software, its claim for the incident was denied. The company’s insurer, ACE American Insurance Co., cited the policy’s war exclusion as justification for denying the claim, categorizing the incident as an act of hostility on behalf of the Russian government.
Following the rejected claim, Merck & Co. filed a lawsuit and took its insurer to court. The court ultimately ruled in favor of the insured, explaining that the policy’s war exclusion wording didn’t specifically address digital warfare, causing the insured to reasonably believe that the exclusion only applied to losses resulting from traditional, physical acts of hostility.
The court also emphasized that, with nation-state cyberattacks on the rise, the insurer should have changed the policy’s language to clearly incorporate digital hostilities within its war exclusion if it wanted to negate such coverage. Because it failed to do so, ACE American Insurance Co. was ordered to pay out the insured’s claim.
Insurance Industry Developments
In response to the previously mentioned court case (and similar rulings), insurers have made various adjustments to protect themselves from facing unanticipated claims and subsequent losses related to cyberwarfare. Primarily, insurers are increasingly apprehensive in selecting policyholders, thus utilizing more extensive application processes and requiring insureds to provide detailed documentation on their cybersecurity practices. Furthermore, insurers are exploring ways to ensure their policy language—namely, the wording within war exclusions—provides clear and consistent guidelines for what is and isn’t covered, particularly in the scope of digital warfare.
Global insurance industry leaders have also adopted initiatives aimed at addressing coverage concerns related to cyberwarfare. For example, global insurance marketplace Lloyd’s Market Association (LMA) recently introduced four new coverage exclusions for insurers to consider. These exclusions, which were designed specifically for standalone cyber insurance policies, contain varying restrictions regarding protection against losses caused by digital warfare—ranging from no coverage whatsoever to limited coverage for incidents that fall below certain thresholds.
Insurers across the globe can adopt these exclusions directly or use them as a reference point for crafting their own specific policy exclusions. These exclusions are intended to help insurers possess greater certainty in determining possible cyberwarfare liabilities and broaden the scope of war exclusions as a whole. Yet, it’s important to note that the LMA’s exclusions may still present clarity issues and misinterpretation concerns regarding the extent of coverage provided amid various incidents.
After all, some industry experts have argued these exclusions’ introduction of ambiguous terms and use of vague guidelines for identifying attack attribution could lead to further coverage confusion. In addition, it’s unclear whether they will create conflicting or overlapping coverage complications when applied within wider insurance programs.
As a result, it’s critical for insurers and insureds to openly communicate about policy definitions and specific coverage capabilities, especially as it pertains to protection against digital warfare. Such communication will help ensure both parties are on the same page, minimizing potential issues when claims arise.
Cybersecurity Best Practices
Apart from fostering open communication with their insurers about coverage for losses stemming from digital warfare, it’s also vital for businesses to take steps to prevent and mitigate these losses. Such steps may also reduce potential insurer apprehensions when it comes to providing adequate coverage for damages caused by cyberwarfare.
Businesses can leverage the following best practices to help avoid and effectively respond to nation-state cyberattacks:
- Understand specific exposures. Different businesses have varying digital exposures to nation-state cyberthreats. Therefore, it’s best for businesses to assess their specific operations and determine their likelihood of being targeted by foreign attackers. Senior leadership teams and trusted IT professionals should be actively involved in conducting these assessments. From there, businesses should adopt security measures and digital procedures catered to their particular exposures.
- Have a plan. Cyber incident response plans are essential for businesses across industry lines. These plans establish timely response protocols for remaining operational and mitigating losses amid cyber incidents. Successful incident response plans should outline potential cyberattack scenarios (including those involving foreign attackers) and methods for maintaining key functions during these scenarios, as well as individuals responsible for doing so. These plans should also help determine when to contact external parties (e.g., law enforcement, legal counsel, IT specialists and insurance professionals) for assistance in investigating and resolving cyber incidents. Plans should be properly communicated and routinely reviewed through various activities—such as penetration testing and tabletop exercises—to ensure effectiveness and identify ongoing security gaps. Based on the results from these activities, response plans should be adjusted as needed.
- Utilize proper security software. A wide range of security software can help businesses better detect and deter nation-state cyberattacks. Essential software to consider includes network monitoring systems, data backup and encryption services, antivirus programs, firewalls, multifactor authentication capabilities, endpoint detection products and patch management tools. Such software should be utilized on all workplace technology and updated regularly.
- Follow government guidance. Lastly, businesses should ensure their cybersecurity practices align with guidance from applicable government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA).
In summary, digital warfare has become a growing concern amid expanding nation-station cyberthreats. By understanding how their insurance policies will respond to losses stemming from cyberwarfare and taking action to minimize these losses, businesses can successfully navigate this evolving risk landscape.
For additional insurance guidance and solutions, contact us today.
By Joshua Weinstein, Employee Benefits President
Without risk, life would be a drab. Without the opportunity to fail, success, and even life, loses its luster and meaning. For example, if a cliff dive ensured absolutely no harm, would it be quite as thrilling or appealing? If presenting in front of others had a 100% chance of going flawlessly, what significance would your preparation and “learning from mistakes” have? Life is not defined by the easy, but rather by slogging through some suffering. That being said, humanity can generally plan toward good outcomes by acknowledging and addressing life’s unseen, “slippery banana peels” as best as possible. Risk isn’t an inherent problem. It’s not unexpected. It’s quite manageable, and it can teach all of us boatloads. The best run businesses have figured out how to manage risks so they can focus on growth and not on threats.
RISQ Consulting will help you be smart about risks through our proprietary Business HealthIQ™ (BHIQ) process. The BHIQ is a collaborative journey that assesses and inventories your organizations risks across key areas, such as: workforce, compliance, technology, employee benefits, and general risk management. You will be working with a strategic consultant, and a plan will be constructed that encompasses the goals of your organization in conjunction with the most suitable approaches to address risk wisely.
Want to learn more? Try out a mini, self guided, version of the BHIQ to see how the planning begins. You’ll get a summary in a few minutes that provides some tangible next steps on how to be strategic with your risks.
We can mutually decide how best to prevent the unwanted things from happening, such as high rates of employee turnover.
We can mitigate risks such as data loss and errors by advising on consolidated technology platforms and tools that are right for your industry and mission.
We might choose to transfer risks, to a third-party, when doing so adds efficiencies, reduces exposures and costs, and improves your ability to focus on your business’ core mission
Sometimes, retaining or assuming risk is the smart play, even up to a specified amount. Keeping some liability on your financials can reduce premium costs and often improves leadership involvement in creating great outcomes for your business.