Cyber insurance and war

Cyber insurance is a relatively new insurance product, and its terms and coverage are still evolving.

Of particular interest are the challenges of defining and standardising cyber war and terror exclusions. The Merck vs ACE decision following the NotPetya malware attack, issuing of Lloyd’s standard exclusion wordings for cyber war and the ongoing Russian attacks on Ukraine makes this topic particularly relevant at present.

War exclusions

Traditional insurance policies typically exclude war and terror risks. National pools or specialist policies can help to fill these gaps – the Australian Reinsurance Pool Corporation^[1] or Pool Re in the UK^[2]are examples of national pools. These risks are potentially large-scale catastrophic risks, which may also aggregate across geographic boundaries and classes of business.

From an insurer’s perspective, excluding war and terror from cyber policies is desirable for the same reasons that they are excluded from other coverages.

NotPetya malware attack and Merck vs ACE

The 2017 NotPetya malware attributed to Russian action against Ukraine caused economic losses of around US$10 billion, making it the largest cyber event to date^[3]. It highlighted the aggregation potential from cyber events and the potential for cross-border impacts. As a result of the NotPetya attack, Merck, the US-based pharmaceutical company, claimed US$1.4 billion against a property insurance policy issued by ACE. In December 2021, a New Jersey court ruled that the ACE could not deny the claim based on a war exclusion included in the policy. While the ruling was dependent on New Jersey law, it reinforced the need for updated policy language for cyber risk and cyber war^[4]^[5].

Lloyd’s exclusion of war from cyber policies

In December 2021, Lloyd’s issued sample wordings for the exclusion of cyber war^[6]^[7]. These provide standardised definitions and four levels of exclusion for war and terror-related perils from cyber policies (LMA5564 being the most restrictive and LMA5567 being the most generous^[8]). Their development and publication reflect an attempt to standardise wordings, if not the level of restriction.

Lloyd’s approach to attribution of cyber events

One of the challenges with coverage of cyber events is determining the cause and attribution of the source of a cyber event for applying coverage. This is central to applying war exclusions. The Lloyd’s sample wordings all state that:

“Primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.”; and
“Pending attribution … the insurer may rely upon an inference which is objectively reasonable.”

This suggests that even where governments are reluctant to include cyber war in their state-sponsored reinsurance pools, they may be able to support the development of the cyber insurance market in their jurisdiction by working towards a more formalised attribution of cyber war events.

From an Australian perspective, many ‘local’ services may still be impacted by computer systems physical located in other countries. For example, the original Amazon region, US-East1, underpins many services which Australian businesses rely on. Equally, New Zealand businesses may be dependent on Australian cloud services. Such practical and common use of cloud-based services adds to the complexity of attributing cyber events and determining coverage.

Ukraine 2022 addendum

Cyber operations have formed a component of the 2022 Russian invasion of Ukraine^[9], but the impact of related cyber operations and potential insurance claims may take some time to become fully apparent. For those outside Russia and Ukraine, resulting restrictions on trade and sanctions may be equally significant^[10].

Conclusions

Cyber war exclusions are another aspect of the challenges that the industry faces in translating more traditional insurance products into the cyber realm. They also remind us that insurance products are the result of a process of evolution to balance customers’ needs including coverage and affordability, with insurers’ appetite for risk.

References

[1] The 2021 review of the APRC considered whether the scheme should be expanded to include coverage for cyber terror attacks that result in physical property damage, but recommended against it. Consultation feedback (page 11) emphasised that the inclusion of cyber in the terrorism scheme would be a substantial intervention and would require significant increases in the ARPC’s capability – https://treasury.gov.au/sites/default/files/2021-12/p2021-230249-review-final-report.pdf
[2] Pool Re introduced cover for cyber business interruption in 2019 https://www.poolre.co.uk/cover/
[3] https://www.verisk.com/siteassets/media/pcs/pcs-cyber-catastrophe-notpetyas-tail.pdf
[4] Why Insurance Companies Don’t Want to Pay Out for Cyberattacks, Foreign Policy Magazine, Tarah Wheeler and Josephine Wolff (21 February 2022) https://foreignpolicy.com/2022/02/21/merck-insurance-cyberattack-russia-ukraine-notpetya/
[5] Merck and International Indemnity v ACE (et al.): war exclusion clauses in an age of cyber warfare, Eversheds Sutherland (15 March 2022) https://us.eversheds-sutherland.com/NewsCommentary/Legal-Alerts/249533/Merck-and-International-Indemnity-v-ACE-et-al-war-exclusion-clauses-in-an-age-of-cyber-warfare
[6] https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx
[7] Four New Cyber War Exclusions from Lloyd’s Market Association, The National Law Review, Heather Howell Wright and Andrew Tuggle (10 January 2022) https://www.natlawreview.com/article/four-new-cyber-war-exclusions-lloyd-s-market-association
[8] Page 13 Cyber Insurance: A hard reset 2.0, Howdens https://www.howdengroupholdings.com/assets/documents/howden-cyber-insurance-a-hard-reset-2.pdf
[9] Tallinn Workshop Report: Cyber Operations during the 2022 Russian invasion of Ukraine: Lessons Learned (so far), Monica Kaminska, James Shires, and Max Smeets (July 2022) https://eccri.eu/wp-content/uploads/2022/07/ECCRI_WorkshopReport_Version-Online.pdf
[10] The cyber war between Ukraine and Russia: An overview, Reuters, James Pearson and Christopher Bing (11 May 2022) https://www.reuters.com/world/europe/factbox-the-cyber-war-between-ukraine-russia-2022-05-10/

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivatives CC BY-NC-ND Version 4.0.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.

War exclusions

NotPetya malware attack and Merck vs ACE

Lloyd’s exclusion of war from cyber policies

Lloyd’s approach to attribution of cyber events

Ukraine 2022 addendum

Conclusions

Most Popular

Actuaries: Bringing clarity to a complex world in the Age of Data

Are your climate-risk disclosures exposing you to potential ‘greenwashing’ claims?

Just in This Month

Excess Mortality: Considerations in Moving Away from a Pre-pandemic Baseline

Acceleration of Climate Change Trends Revealed

Appropriate Indexation of Retirement Income

I am an Actuary: April Edition

War exclusions

NotPetya malware attack and Merck vs ACE

Lloyd’s exclusion of war from cyber policies

Lloyd’s approach to attribution of cyber events

Ukraine 2022 addendum

Conclusions

Most Popular

Related Articles

Just in This Month