Temperatures may be near sub-zero in Eastern Europe right now, but tensions along the Ukrainian border are close to boiling. As the possibility of large-scale cyber incidents looms closer, businesses and insurance professionals alike should be scrutinizing their cyber liability policies and the war clauses within them. However fresh clarification from Lloyd’s of London on war clause exemptions suggests that insurers will be tightening their purse strings.
Lloyd’s Cyber Insurance War Clauses Explained
Newly released four model clauses have brought greater clarity on the losses which will be excluded by cyber warfare. The publication on the clauses just before the recent $1.4 million Merck win against its insurer, who refused to pay out losses resulting from the 2017 NotPetya incident. The landmark case distinctly separated acts of war from cyber attacks and highlighted the impact of silent cyber on legacy policies that fail to take account of the far-reaching nuances of cyber risk.
Reeling from NotPetya (and other state-sponsored attacks) Lloyd recently released new model clauses for war exclusions. Insureds will be disappointed to find themselves yet again disadvantaged by broader, standardized definitions of “war” and “cyber operations” and stricter exclusions surrounding them. It seems that policies under Lloyds will give insurers wide opportunities for denial of coverage beyond the traditional understanding of “war” between sovereign states. The model clauses have created four levels of coverage based on a standardized definition of key terms. All cyber losses caused by “war” have been excluded, as well as cyber losses caused by some “cyber operations”.
All four clauses define “war” broadly to mean physical force by a state, government, or local authority against another state, government, or local authority as part of civil war, insurrection, or the confiscation, nationalization, or damage to property. In other words – almost any kind of physical force could, theoretically fall within the scope of this exclusion and stretch beyond our traditional understanding of what constitutes “war”.
The definition of “cyber operations” also focuses on the use of a computer system “by or on behalf of a state” to disrupt, deny, manipulate or destroy information of another state. Most brow-raising of all, Lloyds has included cyber operations which have a “major detrimental impact” on a state’s function in its standardized definitions, in an attempt to avoid liability for attacks on critical infrastructure (such as Colonial Pipeline). This wording continues to muddy the waters for insureds and their brokers as proving attribution of cyber attacks is painstaking and complex. To make matters worse for the insured, the new exclusion clauses clarify that, pending any government attribution, insurers can decide “through inference which is objectively reasonable” to attribute cyberattacks to state activities.
- The first model clause contains the strictest terms: it excludes all losses from cyber operations.
- The second model clause is slightly more forgiving, specifying coverage limits for losses not due to cyber operations between certain named countries.
- The third model clause continues in this vein but does not mention particular countries to whom the exclusion applies.
- The fourth model clause is the most generous of them all, but still restrictive on the insured: it covers the effects on “bystanding cyber assets,” which are further defined as “a computer system used by the insured or its third-party service providers that are not physically located in an impacted state but is affected by a cyber operation”.
The new clauses undoubtedly equal more risk and less payout. The one silver lining for insureds, however, is that it is for the insurer to prove that the exclusion applies.
Moscow’s Cyber Aggression And Its Global Ripple Effect
The gathering of Russian troops at the Ukrainian border has been plastered over recent headlines. The world is poised, wondering, with bated breath, “will they, or won’t they”?
Meanwhile, cyber operations are already underway – and have been for years. Russia has used cyber techniques to interfere in Ukrainian elections and power grids, aiming to undermine the Ukrainian government and private sector organizations, scare and subdue the population, and promote its intense interests in the region. Notably, in its previous military conflicts in eastern Ukraine, Russia used cyber techniques to disrupt Ukrainian satellite, cellular, and radio communications.
But Moscow has not stopped at Eastern Europe in its cyber exploits – some public policy researchers interpreted Russia’s 2018 UN resolution to revisit rules for cyberspace as an attempt to disguise its state surveillance over internet usage as state sovereignty. Some of the Kremlin’s repeated attacks on the West are still being felt and investigated today – namely, the recent SolarWinds attack on US infrastructure. Russia has also furthered its efforts against the UK by targeting by spreading false stories about British troops in Estonia through bots during a 2017 NATO military exercise.
In mid-January, Russia was suspected of hacking and defacing Ukrainian government websites. At the same time, Microsoft uncovered evidence of destructive malware that was targeting multiple organizations in Ukraine – citing “geopolitical events” as a probable cause.
Shortly after, US governmental agencies, mindful of the chaos which ensued NotPetya, urged critical infrastructure operators to bolster their cybersecurity efforts. The 2017 NotPetya attack was originally aimed at Ukraine, and single-handedly crippled international ports, businesses, and supply chains around the globe with its highly viral malware code. Insurers are still, to this day, settling claims as a result of the attack – such as the recent Merck case. The White House deemed the attack to be the most destructive and costly cyberattack in history, with global losses estimated at a total of $10 billion.
And it appears that history may be repeating itself: a destructive malware seen in Ukraine in January, dubbed WhisperGate, is reminiscent of NotPetya, although it is not as sophisticated and viral as its predecessor. Even more recently, a series of DDoS attacks rendered the websites of the Ukrainian army, the ministry of defense, and major banks unreachable. The defense ministry has confirmed the possibility of Russian involvement in the attacks, however, attribution will take some time to formally confirm with any certainty. If Russia has indeed been behind these attacks, it may well leverage them in diplomatic negotiations further down the line.
Where does this leave us?
The cyber insurance industry has been faced with increasingly limited capacity, silent and systemic cyber risks, and volatile trends in the cybersphere. The Lloyds insurance war exclusion clauses suggest that insurers are treating nation-state cyber activity with increased caution – yet another development in our hardening market. Insureds, their agents, and their brokers would do well to comb through their policies and their operations to ensure that they have sufficient transfer mechanisms in place for the foreseeable risks. It looks like there is a bumpy road ahead in the cybersphere, and now, more than ever, cyber literacy is vital for economic survival.
Want the latest on cyber insurance news, hottest trends, important issues, tips, and much more, directly to your inbox twice a month? Signup for The CI Academy Plus Newsletter here.
