Sources across the industry said that most cyber policies today include war exclusions. However, the application of those exclusions not only depends on the language but also on the facts and context of each attack.
How well the war exclusions stand up will be a key determinant of whether the cyber market will face a substantial claims aggregation event – and the strength of those exclusions will depend on various factors.
“It will likely depend on the type of policy, the language of the exclusion, and the type of attack,” Sean Griffin, a partner at law firm Dykema focusing on data privacy and cybersecurity, told Inside P&C.
According to a recent Lockton report, there is no standard war exclusion wording in cyber insurance policies, although the broker noted that some general exclusions don’t apply to cyberterrorism.
Some key themes Lockton outlined based on general wordings on cyber policies exclusions are:
War, including undeclared or civil war.
War-like action by a military force, including action in hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or
Insurrection, rebellion, revolution, usurped power, or action taken by governmental authority in hindering or defending against any of these.
The Kansas City-based intermediary said in a report that US court decisions interpreting war exclusions have adopted two different analytical approaches.
The first and older approach has focused on whether a specific conflict is formally declared war by governments.
The second one, which is more commonly used by courts today, is to interpret “war” to mean what an ordinary person would think it means. This involves looking at the factual context of a conflict and looking for indicia of war – such as whether the combatants wore uniforms, the organization of the combatants, and the types of weapons used.
However, any analysis of war exclusions will be very fact dependent, as every cyber policy, every conflict, and every claim is unique, Lockton said.
Moreover, sources said, it will be difficult to establish responsibility for cyberattacks as attribution in these cases is frequently hard to determine due to the anonymity that the cyber space grants.
On the other hand, a strong argument can also be made that war exclusions shouldn’t apply to cyberattacks affecting parties that are strangers to the conflict.
Lockton said to the best of its knowledge in the US no court has considered war exclusion in a cyber policy yet.
The closest scenario to a war exclusions dispute was the Merck case in New Jersey, where the pharmaceutical company won a long-running legal battle against its insurers over a claim on its property policy arising from the 2017 NotPetya cyberattack.
In that case, the Supreme Court of New Jersey ruled that “the plain meaning of the language in the exclusion” showed it did not apply. Still, sources highlighted that in the Merck case the discussion was around an all-risks property not a cyber policy.
“It is not surprising that insurers are taking a wait-and-see approach to evaluating the applicability of the [war] exclusion,” Lockton reported.
“Insurers have told us that they are reviewing existing exclusions and are considering whether changes are needed.”
Sources said they have not yet seen a significant uptick in cyberattacks that can be directly attributed to the war. However, some emphasized that authorities in Washington and regulators have all warned that cyberattacks are coming.
The White House sounded the cyber alarms late last month, highlighting the importance of strengthening cyber defenses at private companies and public institutions.
On March 21, President Joe Biden said that his administration was reiterating warnings “based on evolving intelligence that the Russian government is exploring options for potential cyberattacks.”
Market participants anticipated that oil and gas, and financial services industries, two big buyers of cyber coverage, could be particularly vulnerable to cyberattacks, as well as construction firms.
“Energy and banking industries are obvious targets,” Griffin from Dykema said. “But Russia has targeted industries purely for disruption, and it may again. The transportation, manufacturing, and communications sectors should brace themselves accordingly.”
Catherine Castaldo, a counsel at law firm Reed Smith said: “Critical infrastructure providers, overall, are the ones that have to be concerned about vulnerability.”
Castaldo mentioned water systems, electrical grids, healthcare facilities and chemical providers as potential targets.
Other sources expressed concerns about cyberattacks on financial markets or on networks that could affect small businesses and households.
Risk Placement Services (RPS) national cyber practice leader Steve Robinson told Inside P&C: “What insurers are always nervous about is what effectively would be the hurricane in our industry.”
“That really gets to whether it be cloud providers or any type of software distribution, or services where it has the potential to simultaneously affect hundreds of thousands or millions of customers at the same time,” he added.
After Russia’s conflict with Ukraine heated up in 2014 following the conflict over the annexation of Crimea, and between 2015 and 2017, Ukraine was targeted by several cyberattacks that were attributed to state-sponsored entities.
When Russia launched a military attack to invade Ukraine in February, many predicted cyber-attacks to play a large role in the conflict. But according to think tank the Council of Foreign Relations (CFR) there has been relatively little visible action against Ukrainian systems.
According to CFR, some of the reasons for the lack of a mass digital attack include the higher efficacy of physical military attacks and difficulties in planning and executing massive cyberattacks on a short timeline.
Moreover, CFR said Ukraine and western countries have created an anti-Russia sentiment that moved foreign entities and volunteer groups to launch cyberattacks against Russia as well.
Some other possible reasons for an absence in a significant spike in claims directly related to the war are that Russia could be trying to avoid the US entering directly in the conflict, or that Russia is only focusing its attacks on Ukraine, said cyber executives from insurance broker IMA financial.
Cyber threats in an already hard market
The expectation of an increase in attacks comes at a moment when the cyber insurance market is in a state of severe dislocation.
Rates have been surging and capacity has sharply contracted over the last 18 months as a result of a rise in frequency and severity of ransomware attacks that have impacted profitability in the space.
As the market hardens, carriers have also been tightening terms and conditions, including war exclusions, on cyber policies.
According to Alliant’s cyber team, premium rises range from a low-end of 65%-75% to a high-end north of 200%-300%, depending on the industry, with healthcare or energy sectors, for example, experiencing 100% increases.
“It depends on when [insureds] renew too. A lot of April 1 renewals are getting hit really hard right now because they weren’t hit hard last year,” said Meghan O’Malley, Alliant’s cyber first vice president and Western Region leader.
“Some were hit with 50%, 60%, 70% increases last year, so to April 1 they are well over 200%,” she added.
For small businesses, which are constantly targeted by cyber criminals, RPS’ Robinson said, it's not uncommon to see an inversion of pricing, midway up a tower, where the excess is going to cost more than the layer below it.
Capacity has been contracting in the cyber market as higher losses have driven some providers to pull back.
Policy limits have gone down, sources said, and it is now common to see $10mn limits cut to $5mn or $2mn, at least on the primary side.
Alliant’s cyber product co-leader Robert Horn said: “There's been a real pullback of limits being deployed even with some of the newer InsurTechs and some new capital.”
Erik Weinick, a cyber-focused counsel at law firm Otterbourg PC, said: “We've seen what I would refer to as a double contraction, a tightening of the direct cyber insurance coverage market,” noting higher prices and less capacity in the space.
“My greatest fear is that we will find ourselves in cyber in a situation analogous to what you would have saved for flood insurance on the coast, where we have a market failure, and it requires governmental intervention.” he added.
Inside P&C provides unparalleled market intelligence on the entire US P&C market – from small commercial and personal lines right through to reinsurance and Bermuda. Redeem your complimentary 14-day trial for more premium content from Inside P&C.
Scan here to download the app