How Will Cyber-Policies Respond in Times of War?

Contributor: Lee Hill | International Risk Management Institute, Inc. (IRMI) | NetVU Silver Corporate Partner | Posted 06/07/2022

You should caution your insureds against expecting coverage under cyber-insurance policies for cyberattacks stemming from Russia's invasion of Ukraine and subsequent related incidents.

While there is no "standard" wording used in the war exclusions found in these policies, they are nearly always worded with the broad preamble of "based upon, arising out of, directly or indirectly involving, or in consequence of.…" This wording excludes losses not only directly from warfare but also from attacks simply related to warfare.

The breakout of physical, "kinetic" warfare in Ukraine gives the broadly worded war exclusions typically found in cyber-insurance policies even more weight compared to cyber incidents in the absence of any actual physical warfare. Recent litigation involving war exclusions did not involve actual "boots on the ground" or physical warfare, leaving more room for courts to find coverage in favor of insureds. This would likely not be the case for incidents stemming from Russia's invasion of Ukraine, which falls under the simplest definition of "physical warfare" found in relevant exclusions.

While cyber-insurance coverage should not be expected for attacks related to Russia's invasion of Ukraine, insureds should review exactly how their policies' war exclusions are worded. Different phrasings can limit coverage even more so than other versions of exclusions, but there are also ways that insureds can slightly broaden their chances for future coverage related to nonphysical warfare.

In November 2021, a Lloyd's Market Association Bulletin released four draft war exclusions to act as a guideline for commercial cyber insurers. Some broaden the exclusion (less favorable for insureds), while others narrow the scope of the exclusion (more favorable for insureds).

  • Exclusion of both "war" and "cyber operations" (broadens scope)
  • Less-stringent requirements for attribution of an attack to a state (broadens scope)
  • Excludes operations by or on behalf of a state (broadens scope)
  • Specifically excludes retaliatory operations between specified states (broadens scope)
  • Excludes losses involving detrimental impact on essential services (broadens scope)
  • Bystanding cyber-assets carveback for assets located away from an impacted state (narrows scope)
  • "Cyber-terrorism" carveback (narrows scope)

In summary, war exclusions in cyber policies are generally broadening in scope, and draft exclusions such as the ones from Lloyd's are furthering that trend.

The ongoing hard market in cyber insurance may make these specific points difficult to negotiate, but they are worth exploring.

Meanwhile, here are five proactive steps insureds can take to protect against cyber attacks.

  1. Make cyber security a board-level issue.
  2. Engage a public relations firm ahead of time and have a plan following an incident.
  3. Have a forensic investigation and system response plan.
  4. Have a response team organization chart.
  5. Conduct tabletop exercises (a service often offered by cyber insurers) to work through cyber-attack scenarios.

NetVU subscribers with access to IRMI content can find more detailed information on these topics:

Cyber-Insurance War Exclusions

The Betterley Report—"Cyber/Privacy Insurance Market Survey—2021"

"Developing a Cyber Event Response Plan"

"Cyber and Privacy Loss Control"