CyberGuide - Information Security and Cyber Risk Management



State-Sponsored Cyber Attacks and the War Exclusion: Are You Covered?

 

By Dan Burke, Woodruff Sawyer

This content originally appeared on Woodruff Sawyer’s Cyber Notebook web page. It is republished here with permission.

On April 15, 2021, President Biden signed an executive order implementing new sanctions against Russia after attributing the Solar Winds attack to a Russian intelligence unit known as APT 29 or Cozy Bear.

This is one of the first times the US government has attributed a cyber attack to a foreign government, and that has led to a lot of questions on how this might impact the war exclusion of a cyber insurance policy.

The War Exclusion

Typically, a war exclusion clause stipulates that any damages as a result of “hostile or warlike actions” by a state or its agents will not be covered.

Traditional property and liability insurance policies were silent on cyber attacks. It wasn’t much of a problem…until it was. When the NotPetya attack happened in 2017, also alleged to have been Russian in origin, an insurance claim by Mondelēz under a property policy was denied in part due to a war exclusion.

At the time of the Notpetya attack, I wrote about the differences in approach between the property insurance market, which never really intended to cover cyber risk, and the cyber insurance market, which has been more proactive in covering nation-state attacks.

I think the key points from that article are still relevant today.

Cyber Insurance Claims and Nation-State Attacks

The good news: Cyber insurance policies continue to pay out when private companies are targeted by nation-state actors. We have seen this time and time again, including claims arising from the Solar Winds attack.

This is great, since the Solar Winds cyber attack has caused an estimated $90 million in losses, and that total is still climbing.

War Exclusions Amendments

Cyber insurance policies have amended their war exclusion in ways that other traditional insurance policies have not.

Cyber insurance policies include carveback language that grants coverage when the attack is considered cyber terrorism—a usually broadly defined term that amounts to an attack for ideological, political, or cultural purposes.

One of the issues in the Mondelēz litigation, according to this report, was the application of the war exclusion provisions in Mondelēz’s all-risk property insurance policy to the cyber attack because “such a clause has never applied to anything other than conventional armed conflict or hostilities.”

Silent Cyber Is Dead

Silent cyber is dead. The judicial system puts the onus on the creators of the contract to be clear about which contractual terms apply.

One of the canons of contract law is that the specific takes precedence over the general. Courts interpret that to mean if something isn’t specifically mentioned in a list of inclusions or exclusions, it doesn’t apply.

So, the days of finding cyber coverage because a certain policy didn’t address it, or remained silent on the exposure, are long gone.

That’s true for property, general liability or even cargo risks these days, and is one of the main reasons we likely haven’t seen the war exclusion invoked to exclude a cyber event under those policies since Mondelēz.

Final Thoughts

Will the cyber insurance market continue this way? It remains to be seen. Certainly, the cyber insurance market is in a much more difficult place these days with losses mounting.

One thing mentioned in the White House press release really caught my eye: An acknowledgment that the attack placed an undue burden on mostly private enterprises to bear the cost of mitigating the incident.

That is one of the reasons you’re likely to hear increased calls for a public-private partnership in responding to these widespread cyber events.

For more insights like this, check out the Cyber Notebook or get more Cyber Dan insights by subscribing to our YouTube channel.

About the author: Dan Burke is Senior Vice President, National Cyber Practice Leader, at Woodruff Sawyer. As National Cyber Practice Leader, Dan drives the strategy to grow our cyber business, such as developing tools to help clients and prospects understand and quantify their cyber exposures, as well as thought leadership. He frequently speaks at industry conferences and has been quoted in various trade magazines and newsletters, including The Wall Street Journal.