Executive Summary

Companies should be aware that, as a result of increasing geopolitical instability, there is a heightened risk of cyber-attacks. Particularly in light of the Merck case, they should therefore consider closely examining the scope of their insurance policies to ensure sufficient coverage.

Loss from cyber-attacks

The use of cyber-attacks is a common feature of geopolitical disputes,¹ and there is evidence that hacks on private and public organisations are on the rise, including the emergence of a new, data-wiping malware.² Termed ‘HermeticWiper’ by ESET, a Slovakia-based cybersecurity company,³  it has been claimed that the “sophisticated and targeted” attack was likely a nation-state creation.⁴

The capacity for malware to spread beyond borders is well-recognized. In 2017, the emergence of the NotPetya malware during conflict in Ukraine eventually spread globally, costing insurance companies more than $3bn in total,⁵ and causing significant damage and disruption worldwide, including to the computer systems of DLA Piper LLP, a global law firm, and Merck, a German pharmaceutical giant.⁶

War exclusions

In response to loss caused by cyber-attacks, in the absence of a standalone cyber policy, many companies have sought to rely upon coverage provided by All-Risks policies. All-Risks policies are designed to provide cover against physical damage to property, yet many pre-2018 policies do not explicitly or implicitly exclude cyber risk and thus may provide cover, termed ‘silent cyber’ by the insurance industry.⁷

Where there is evidence that a cyber-attack was developed and deployed as a weapon by a nation-state, insurers have sought to rely upon war exclusions. A war exclusion clause is a typical provision in All-Risks policies, which excludes cover for loss caused as a result of “warlike or hostile acts”.

Merck and International Indemnity v ACE (et al.)

In the recent decision in Merck and International Indemnity v ACE (et al.), the Superior Court of New Jersey rejected attempts made by the insurer, Ace American, to exclude coverage under an All-Risks policy held by the German pharmaceutical giant, Merck, for losses caused by the NotPetya malware totalling more than $1.4bn. Ace American had sought to argue that NotPetya was an instrument of the Russian Federation (albeit officially denied) and was deployed as part of a broader offensive campaign against Ukraine in 2017. Accordingly, any loss was excluded under a war exclusion clause.⁸

The Court, while placing significant reliance upon the doctrine of "reasonable expectations of the insured" under New Jersey law, noted that:

(i) "... no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts" and

(ii) despite being "aware that cyber-attacks... from private sources and sometimes nation-states have become more common... Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber-attacks".⁹

Accordingly, the Court concluded that, "Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare" and not to cyber-attacks such as NotPetya.¹⁰

The Court did not address the central issue of attribution, and thus provided no guidance on how to attribute cyber-attacks to a nation-state, considered key to writing effective war exclusion policies.

Although a US decision, the Merck case underscores that it is possible for insureds to attain cyber coverage under All Risks policies even where there is evidence that a cyber-attack was used as a weapon by a nation-state, unless such losses are explicitly excluded via clear, comprehensive policy language. That said, after the Merck case and with the spotlight put on the issue, courts may be increasingly receptive to arguments that in the absence of specificity, nation-sponsored cyber-attacks are excluded from coverage.

Attribution to a nation-state

Whether cyber-attacks are excluded under war exclusion clauses will be a question of fact in each case, as well as of law, since “war” is usually a term declared by governments, not private actors.

In order to exclude coverage under a war exclusion, insurers must be able to factually attribute any such cyber-attack to a particular nation-state (which may be difficult to do without access to classified intelligence), and that as a legal matter the attack rises to the level of warfare. Attribution is a particularly difficult challenge with cyber-attacks, when the perpetrators may have taken steps to obfuscate the attack’s origins and where the lines between state and non-state sponsorship are blurred.¹¹ Cyber-attacks are also inherently more deniable than physical attacks. Governments also tend to reserve the authority to determine whether a particular use of force amounts to an armed conflict, and whether cyber-attacks necessarily equate to a use of force is still open to debate.

Can insureds rely on standalone cyber policies to cover loss from cyber war?

Clarifying the extent and sufficiency of coverage has never been more important. 

For a number of years, insurers have largely excluded any cyber coverage from All-Risks policies via explicit cyber exclusions. However, standalone cyber policies may still provide coverage for losses from cyber-attacks conducted by state actors, providing that they do not include a war exclusion clause tailored for cyber risk.

In the UK, the Lloyd’s market published four precedent cyber war and cyber operation exclusion clauses in November 2021 for use in standalone cyber policies,¹² which provide for different levels of cover in respect of cyber-attacks which are not excluded by the definition of war, cyber war or cyber operations which have a major detrimental impact on a state. The Lloyd’s precedent clauses contain slightly different exclusions, however all exclude loss “happening through or in consequence” of a cyber operation, as defined below:

“Cyber operation means the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.”

All the Lloyd’s precedent clauses contain the same provision concerning attribution, which determines that the “primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf”. Pending such determination, the insurer may rely upon “inference which is objectively reasonable”. The burden of proof is on insurers to prove that the exclusion applies.

Defining the “government of the state” may pose challenges for insurers, as the draft clauses do not contemplate a situation where different state actors might take different positions on the origin of cyber-attacks. Further, attributing acts of cyber warfare based on what state intelligence and security services say is also potentially problematic, as the remit of such bodies may be political. No examples of “objectively reasonable” inferences are provided.

Conclusion

With a heightened risk of cyber-attacks as a result of increasing geopolitical instability, insureds should look closely at their policies to determine whether they have sufficient cyber cover, and where there is doubt, they should seek to include greater clarity, whether in All-Risks policies or in standalone cyber policies.

¹ https://www.theatlantic.com/technology/archive/2022/02/russia-ukraine-conflict-cyberwar/622931/

² https://www.reuters.com/world/europe/ukrainian-government-foreign-ministry-parliament-websites-down-2022-02-23/;

³ https://www.theguardian.com/world/2022/feb/24/russia-unleashed-data-wiper-virus-on-ukraine-say-cyber-experts

⁴ https://www.reuters.com/world/europe/ukrainian-government-foreign-ministry-parliament-websites-down-2022-02-23/

⁵ https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/merck-case-leaves-cyber-insurers-wanting-for-clarity-on-war-exclusions-68662696

⁶ https://www.wsj.com/articles/one-year-after-notpetya-companies-still-wrestle-with-financial-impacts-1530095906

⁷ https://www.marsh.com/uk/services/cyber-risk/products/silent-cyber-how-you-can-cover-perils.html

⁸ https://techmonitor.ai/technology/cybersecurity/russia-ukraine-cyber-insurance-malware

⁹ https://www.lexology.com/library/detail.aspx?g=e45913c8-1f04-4d34-b6da-770dee9a080b

¹⁰ https://www.lexology.com/library/detail.aspx?g=e45913c8-1f04-4d34-b6da-770dee9a080b

¹¹ https://www.ncsc.gov.uk/annual-review/2020/index.html

¹² https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx

[View source.]