In early February of this year, we wrote about a New Jersey court’s recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.) regarding the applicability of a “war exclusion” for acts of cyberwarfare. Shortly thereafter, the Russian invasion of Ukraine once again brought to the forefront images of war—both in the traditional sense—as well as in the context of cyberwarfare. While the war in Ukraine has thus far comprised of mainly mostly low-impact cyberattacks by Russian-linked hackers, the perceived increased risk of cyber-attacks in the Russia/Ukraine conflict certainly has the insurance market evaluating its appetite for coverage in this area and looking for ways to clarify coverage in the event of a cyber-attack.
One way the market has sought to clarify coverage is through the use of the “war exclusion” that is typically found in property and casualty policies, cyberliability policies and other forms of coverage. This exclusion was originally designed to exclude damage arising from these “traditional” warlike acts between sovereign and/or quasi-sovereign entities. See Pan American World Airways, Inc. v. Aetna Casualty & Surety Company, 505 F.2d 989 (2nd Cir. 1974) (“[W]ar is waged by states or state-like entities and includes only hostilities carried on by entities that constitute governments, at least de facto in character”).
But, traditional notions of warfare are evolving. “Attacks” are now often committed behind the shield of computer screens and in a technological territory. Unsurprisingly, this evolving landscape of war is translating to evolving views on insurance coverage and evolving arguments around the interpretation of the “war exclusion.”
Cyber attacks—a new age of warfare
In recent years, cyber warfare has become a more prominent threat than traditional warfare. Cyber attackers may be independent actors, or, they may be associated, or affiliated, with—or even part of—certain states and governments (e.g., Conti and REvil are known for their relationship with the Russian government).
The question becomes whether this form of “warfare” can fit into the current regime for evaluating coverage under a “war exclusion.” Yet, because threat actors are so adept at concealing their identities, it is often difficult—if not impossible—to attribute cyber-attacks to particular actors, or actors acting on behalf of a sovereign nation or government.
A New Jersey state court recently addressed this issue in Merck & Co., Inc. v. ACE American Ins. Co., Case No. UNN-L-2682-18 (N.J. Sup. Ct.), a case involving a ransomware attack facilitated by known Russian hackers against pharmaceutical company Merck & Co., Inc. There, the pharmaceutical company sued its property insurer for losses resulting from a 2017 NotPetya malware cyberattack that crippled Merck’s computer systems and caused approximately $1.4 billion in losses.
While the insurers argued coverage was excluded under the “war exclusion,” the New Jersey court sided with Merck. The court acknowledged the changing landscape in which wars are fought, but also recognized that hostilities wrought by malware were not unheard of, and that the insurers “did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber-attacks.” Id.
A battle for coverage—the changing insurance landscape
In light of the decisions in Merck and the ongoing threat of increased cyber warfare presented by the Russia/Ukraine war, insurers will likely speed up their efforts to tighten-up language in their “war exclusion,” in an effort to minimize their risks associated with cyber warfare. The industry saw the first example of this in November 2021 when the Lloyds Market Association proposed four new cyber warfare exclusions, intended to limit coverage for “cyber operations.” The proposed exclusions no longer focus on attacks attributed to the actual sovereign state or nation state. Rather, under these proposed exclusions the association between the threat actor and the nation state may be determined by “inference.” Similarly, Munich Re recently announced that it is planning to add new wording in its cyber insurance policies to clarify the exclusion for war, and avoid disputes over what is covered in the event of cyber warfare. The edits to the exclusion purportedly closely follow the wording that Lloyd’s proposed in 2021.
It remains to be seen whether these proposals will be adopted by insurers and accepted in the market, but the increased importance of, and focus on, adequate cyber coverage cannot be understated. To better navigate this changing landscape, corporate policyholders need to be sure that their cyber risks are fully understood, particularly small and medium sized businesses as the National Cyber Security Alliance has previously indicated that 60% of small businesses go out of business within six months of a cyberattack. Similarly, be conscious that insurers have significantly increased premiums for cyber coverage throughout 2021—a trend that may continue. To remove all doubt, a policyholders’ expectations regarding coverage should be clearly conveyed to the underwriter during their renewal process.