Cyber insurance and war

Cyber insurance is a relatively new insurance product, and its terms and coverage are still evolving.

Of particular interest are the challenges of defining and standardising cyber war and terror exclusions. The Merck vs ACE decision following the NotPetya malware attack, issuing of Lloyd’s standard exclusion wordings for cyber war and the ongoing Russian attacks on Ukraine makes this topic particularly relevant at present.

War exclusions

Traditional insurance policies typically exclude war and terror risks. National pools or specialist policies can help to fill these gaps – the Australian Reinsurance Pool Corporation[1] or Pool Re in the UK[2] are examples of national pools. These risks are potentially large-scale catastrophic risks, which may also aggregate across geographic boundaries and classes of business.

From an insurer’s perspective, excluding war and terror from cyber policies is desirable for the same reasons that they are excluded from other coverages.

NotPetya malware attack and Merck vs ACE

The 2017 NotPetya malware attributed to Russian action against Ukraine caused economic losses of around US$10 billion, making it the largest cyber event to date[3]. It highlighted the aggregation potential from cyber events and the potential for cross-border impacts. As a result of the NotPetya attack, Merck, the US-based pharmaceutical company, claimed US$1.4 billion against a property insurance policy issued by ACE. In December 2021, a New Jersey court ruled that the ACE could not deny the claim based on a war exclusion included in the policy. While the ruling was dependent on New Jersey law, it reinforced the need for updated policy language for cyber risk and cyber war[4][5].

Lloyd’s exclusion of war from cyber policies

In December 2021, Lloyd’s issued sample wordings for the exclusion of cyber war[6][7]. These provide standardised definitions and four levels of exclusion for war and terror-related perils from cyber policies (LMA5564 being the most restrictive and LMA5567 being the most generous[8]). Their development and publication reflect an attempt to standardise wordings, if not the level of restriction.

Lloyd’s approach to attribution of cyber events

One of the challenges with coverage of cyber events is determining the cause and attribution of the source of a cyber event for applying coverage. This is central to applying war exclusions. The Lloyd’s sample wordings all state that:

  • Primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.”; and

  • “Pending attribution … the insurer may rely upon an inference which is objectively reasonable.”

This suggests that even where governments are reluctant to include cyber war in their state-sponsored reinsurance pools, they may be able to support the development of the cyber insurance market in their jurisdiction by working towards a more formalised attribution of cyber war events.

From an Australian perspective, many ‘local’ services may still be impacted by computer systems physical located in other countries. For example, the original Amazon region, US-East1, underpins many services which Australian businesses rely on. Equally, New Zealand businesses may be dependent on Australian cloud services. Such practical and common use of cloud-based services adds to the complexity of attributing cyber events and determining coverage.

Ukraine 2022 addendum

Cyber operations have formed a component of the 2022 Russian invasion of Ukraine[9], but the impact of related cyber operations and potential insurance claims may take some time to become fully apparent. For those outside Russia and Ukraine, resulting restrictions on trade and sanctions may be equally significant[10].

Conclusions

Cyber war exclusions are another aspect of the challenges that the industry faces in translating more traditional insurance products into the cyber realm. They also remind us that insurance products are the result of a process of evolution to balance customers’ needs including coverage and affordability, with insurers’ appetite for risk.

References

 
 

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.