The conflict in Ukraine has raised significant cybersecurity concerns for businesses in the United States and across the world, resulting in an increased focus on using cyberinsurance to mitigate any resulting losses. The conflict has also caused insurers to turn their attention to a rarely invoked exclusion in insurance policies: the war exclusion. Certain insurers have recently taken steps toward altering the language of such exclusions. As a result, evaluating the applicability of insurance coverage, including the specific language of any war exclusions contained in the policies, is an important first step for businesses as they seek to protect themselves from cyberthreats.

WAR EXCLUSIONS IN ALL-RISK POLICIES

A New Jersey trial court’s recent decision in Merck & Co., Inc. et al. v. ACE American Insurance Co., et al. addressed the application of a type of war exclusion in an “all risk” policy. In 2017, Merck’s computer systems were infected by a malware, called “Notpetya,” affecting computers in countries around the world. The company alleged that the damage spread to 40,000 computers and caused estimated losses of more than $1.4 billion. The company’s “all risk” policies provided coverage for loss or damage resulting from destruction or corruption of computer data and software.

The insurers, however, denied coverage pursuant to the policies’ hostile or warlike action exclusion, contending that Notpetya was an instrument of the Russian Federation as part of its ongoing hostilities against Ukraine. In response, the company argued that significant facts showed that Notpetya was not an official state action but instead a form of ransomware, and that even if it were instigated by Russia to harm Ukraine, the hostile or warlike action exclusion would still not apply.

The court sided with the company, holding that the exclusion was inapplicable under the facts presented. The court noted that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.” The court explained:

[B]oth parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states have become more common. Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks. Certainly they had the ability to do so. Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.

The court concluded that the company’s “position that they did not anticipate that the exclusion would be applied to acts of cyber based attacks reasonably shows that the expectation of the insured was the exclusion applied only to traditional forms of warfare.”

CHANGING WAR EXCLUSIONS

In response to Notpetya, recent adverse decisions, and the growing risk of cyberthreats, certain insurers have taken steps to alter the language of their policies’ war exclusions. For example, Lloyd’s Market Association (LMA) recently released four cyberwar and cyberoperation exclusion clauses with respect to standalone cyberinsurance policies. According to LMA, such clauses are “purely illustrative” and have been drafted to provide Lloyd’s syndicates and their (re)insureds and brokers with “options.”

The LMA exclusion clauses provide that the insurance does not cover loss directly or indirectly occasioned by, happening through, or in consequence of, among other things, “war” or a “cyber operation” that is carried out in the course of “war.” “War” is defined therein as “the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection,” and/or “military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority,” “whether war be declared or not.” “Cyber operation” is defined therein as “the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.” Moreover, the clauses provide that pending any government attribution, “the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation.”

Coverage will depend on the specific language of each policy, the facts of the claim, and applicable law. When procuring coverage, policyholders should be aware of the changing definitions of “war” and “cyber operations” in their cyberinsurance coverage.

NEXT STEPS

Businesses must think proactively and critically when evaluating their insurance coverage programs. Given the complexities of cyberinsurance coverage, the growing risks of cyberthreats to businesses, and swiftly changing standard policy language with respect to war exclusions, it is important to put the right team in place.

[View source.]