By Erin Ayers, Advisen
SAN FRANCISCO — Is cyber warfare insurable? For experts speaking during Advisen’s Cyber Risk Insights Conference here on Feb 12, the answer may be “Well, yes, kind of,” but more consensus and consistency in the insurance industry are needed to provide a definitive solution.
To date, panelists agree, cyber insurers have paid claims that skirt the line of cyber warfare and applying war exclusions on any type of policy will be an uphill battle. Panel moderator Nadia Hoyte, national practice advisor for USI Insurance Services, commented that, as governments evaluate their “friends, enemies, and frenemies at the moment,” the question becomes, “What is an act of war and does it begin with the threat actor?”
“The war exclusion has not been upheld in any cyber context yet and it’s a very tough narrow window for the insurance industry to get through,” said Richard Bortnick, partner with Freeman, Mathis, and Gary LLP.
Case law on war exclusions holds that war must involve a government or sovereign state engaging with another sovereign state, according to Bortnick, who cited the 1970 hijacking of Pan Am Flight 93 as a key case in the area. The event must be endorsed by the government to invoke the war exclusion, he said.
Much of the current cyber debate surrounds claims denials on property policies following the June 2017 NotPetya attack. While still being litigated, the resulting court rulings will be a defining moment for the traditional war exclusions that have been in existence since 1936.
In the cyber field, however, insurers intend to cover risks like NotPetya, “despite considerable misinformed debate” over the issue, said Erin Harnetiaux, vice president of Marsh’ Cyber Center for Excellence. For brokers, she added, the current task includes advocating on behalf of clients and shaping the definition of cyber warfare and adding carvebacks for cyber terrorism.
The move toward carvebacks for terrorism “dramatically neuters the exclusion for the insured’s benefit,” said Melanie Witte, senior cyber claims specialist for AXA XL. And for some of the cyber events that could be considered “hostile or warlike actions,” there is no connection to physical warfare, she said, citing the $81 million attack on Bangladesh’s banking system suspected to be launched by North Korea.
“When it comes to an event like NotPetya, the water gets muddier,” said Witte. Arguably, Russia launched an attack at Ukraine, but hit many unintended targets.
Joan D’Ambrosio, partner at Atheria Law PC and a speaker on a later panel, noted that the historical definitions of terrorism and warfare include loss of life and intention to cause harm. With cyber, can war be waged against a private sector entity? For an event like the 2014 attack on Sony Pictures, commonly thought to be a North Korean-sponsored attack, damages involved exposed emails and bricked computers, rather than injuries.
“It’s certainly antagonistic,” she said, but it may not be war or terrorism.
A federal backstop for cyber warfare would provide significant certainty for buyers and insurers, according to some panelists, but it won’t come about without industry consensus.
“There’s no single solution,” said Harnetiaux, adding that businesses and their insurance partners can also be evaluating the attack techniques for trends that indicate potential state-sponsored activity.
“We should also be working toward agreement on language and terminology,” said Witte.
For the insurance industry, NotPetya represented a watershed moment for how the insurance industry approaches cyber risk. The event prompted conversations where insurers are trying hard to figure out how to cover the exposures faced by their clients, according to D’Ambrosio. The cyber terrorism definition is much broader than traditional legal definitions of terrorism, she added.
“Cyber insurers have been paying [claims] and examining how they want to pay them in the future.”
Editor Erin Ayers can be reached at firstname.lastname@example.org.