Cyber-insurance policies typically have "war exclusion" or "hostile act exclusion" language built into them. This language essentially says that insurers cannot defend against acts of war. In the first quarter of this year, cyber-insurance markets were already tightening war exclusion provisions to deny coverage. In light of Russia's invasion of Ukraine — and the anticipated cyber fallout — security professionals should review their cyber-insurance coverage with an eye toward determining coverage gaps.
A Brief History of War Exclusions
Before exploring the cyber-risk that the Russian war on Ukraine raises, it's important to understand the history of cyber war exclusions.
Many companies became collateral damage during NotPetya's broad launch against Ukraine in 2017. Insurers began to utilize "war exclusion" clauses in their policies in an attempt to exclude coverage for NotPetya malware infections. NotPetya was designed by a government to harm another government as an act of war, the reasoning went, so an insurer should not be liable for damages.
New War Exclusion Clauses
Earlier this year, Lloyd's of London released four new variations of cyber war and cyber operation exclusion clauses, each with varying levels of coverage available to an insured. Other cyber-insurance carriers followed suit, and war exclusions in cyber insurance can now be seen as tighter contractual language.
These exclusions provide that the insurer will "not cover any loss, damage, liability … directly or indirectly occasioned by, or happening through or in consequence of a war or a cyber operation" (see Lloyd's Exclusion No. 1). Each of these terms is heavily defined — with war meaning "the use of physical force by a state against another state … whether war be declared or not." The term "cyber operation" is defined as "the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state."
The issue then becomes: How does one determine attribution for a cyber operation or war to another state? The Lloyd's policies provide a method for this, including determining whether the "government of a state (including its intelligence and security services)" makes attribution "to another state or those acting on its behalf."
Thus, if a new malware threat is attributed to a government, and a company gets hit because of the difficulty in containing such malware, a cyber insurer could deny coverage.
How to Navigate the Cyber Insurance Landscape
Here is some advice for effectively navigating the cyber-insurance landscape.
1. Do not speculate.
When reporting a claim, be careful to only report what you know. For example, if your company is hit by ransomware, don't speculate as to who the threat actor may be if you don't know. If attribution of a new threat has not been made, be careful not to guess that it arises out of an ongoing global conflict. With all cyber insurance, words matter — especially the words of security professionals working a claim. What you guess, report, or speculate could be used as a basis for denial of coverage.
2. Get your own independent experts.
As a cybersecurity lawyer, my recommendation to a company hit by a new variant of malware or ransomware is to engage counsel separate and apart from counsel appointed by your insurance carrier. While a cyber-insurance lawyer appointed by an insurance carrier represents you, that cyber-insurance lawyer ethically cannot bring an action against your carrier or easily take a position contrary to your carrier. It's best to have independent counsel alongside you, even if the company must pay for this counsel out of pocket, to assist you with the process.
3. Assume nothing about coverage until you get a coverage letter.
There are many cyber-insurance carriers that do the right thing and want to provide for their insureds. However, until you have a coverage letter from the carrier itself — not just the word of your insurance broker — do not assume you have full coverage.
4. Be prepared: Review your coverage and game plan in advance.
The global upheaval caused by Russia's aggression into Ukraine is likely to spawn many coverage battles. The time to prepare is now, and you can do so by reviewing your coverage with an attorney outside of the cyber panel process.
With Russia's invasion of Ukraine — and the resulting strict worldwide sanctions against Russia — the cybersecurity risk and stakes are higher than ever. Organizations relying on cyber-insurance policies to protect them in case of a cyberattack should review their coverage carefully to ensure that they actually are protected. Organizations should not wait until they are navigating a threat to know what is ahead in a cyber-insurance war.