Given recent events in the Russia-Ukraine conflict, cyber warfare is at the front of many peoples’ minds. For years, Ukraine has been a target for Russian cyberattacks, with Russia-linked actors unleashing catastrophic malware against hundreds of targets. For example, the NotPetya cyberattacks in 2017 destroyed data from Ukrainian companies.
In light of Russian cyberattack threats, U.S. officials warned about Russian hackers’ threat to infrastructure, and even private industry businesses. While the recent surge in cyber-awareness has caused many companies to take their cyber security more seriously, businesses may not be aware that their existing cyber insurance does not protect them in every cyber attack scenario.
Read on to learn about acts of war exclusion for cyber insurance, what it could mean for you as a broker, and how to protect your clients and yourself.
What are Acts of War Exclusion for Cyber Insurance?
Business owners may be familiar with the exclusion clause they agreed to when purchasing insurance for their business’s physical assets. Such exclusions occur when an event affects so many people that filling all of the insurance claims would bankrupt the insurance provider.
For example, the Hostile Acts exclusion is a common clause in many property policies that excludes losses due to war. As the National Law Review described,
“This policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this policy, contributing concurrently or in any other sequence to the loss:
hostile or warlike action in time of peace or war by any:
- government or sovereign power (de jure or de facto);
- military, naval, or air force; or
- agent or authority of any party specified in i or ii above.”
While the original hostile or warlike actions that insurance companies referred to were solely armed conflicts, technological developments have introduced new war tactics that do not involve bombs or boots on the ground. Now, insurance companies have similar war exclusions for their cyber insurance policies, protecting them from paying tens or hundreds of thousands of claims.
Protecting Businesses From Cyber Attacks in Times of War
Whether or not a cyber policy protects a business during an act of war depends on the language that the insurance provider uses in its policy. Specifically, look for language that separates cyber terrorism from cyber war.
Cyber terrorism is the premeditated usage of disruptive activities against computer systems with the intention to harm or intimidate someone. Cyber terrorism may be a result of trying to achieve social, ideological, religious, or political objectives. However, cyber terrorism does not include activities that are related to or in support of military action or other war-like operation.
On the other hand, cyber war are cyber attacks that arise from or are related to war, invasion, hostilities, acts of foreign enemies, or other warlike operations. Such acts of cyber war may also include a strike, lock-out, riot, civil war, revolution, rebellion, or insurrection.
The distinction between cyber terrorism and cyber war is important, because many policies will cover acts that fall under cyber terrorism while excluding those that fall under cyber war. However, there are still gray areas in cyber insurance exclusions for cyber war. For example, if an act against another country in a cyber war leaks out to other countries and businesses, the damages that it causes to those businesses may or may not be covered under traditional cyber insurance policies.
There is no clear answer as to what occurs in that scenario, meaning that litigation may be the only option in such extraneous circumstances. Businesses that already have cyber insurance but want to protect themselves even in the event of a cyber war can purchase a separate insurance policy. However, they will have to pay a rising premium as cyber risk becomes more and more real for businesses across the board.
What Acts of War Exclusions Mean for the Cyber Insurance Industry
As a broker, your business clients trust you to assess and inform them about their risks accurately. If you perform a risk assessment and advise a client regarding a cyber insurance policy make sure you review the war and terrorism exclusions with your clients so they understand how this may apply to a cyber event..
In the event of a cyber attack that falls under a war or terrorism exclusion, your clients may be left without the help of the cyber insurance they thought they had. If such a cyber attack results in a severe blow to the business, business owners could sue their broker for not advising them correctly.
Therefore, insurance brokers need to be more careful than ever when advising a client regarding a cyber insurance policy. Clients need to be made aware of the implications prior to an event occurring so that they understand how the coverage may or may not apply in the event of a cyber attack that results from a possible act of war or terrorism. After all, if a policy does not cover these acts, a business may be left without help when they need it most.
In addition to your standard vetting process for an insurance policy, add a step reviewing the war and/or terrorism exclusions. Most stand alone cyber policies will include language that excludes coverage from an act of War and Terrorism, but most good stand alone cyber policies will have a carveback for these events, specifically “Cyber Terrorism”, that will provide coverage as long as the acts were not carried out directly by a government or at the express direction of a government when they are engaged in active war or conflict.
This issue is even more difficult to manage as often it is hard to prove if a government is behind a specific attack as it is often carried out by third parties and hard to prove that these things were done at a government’s direction, and they will almost certainly deny any involvement.
For brokers, disclosing cyber war and terrorism exclusions to your client is an important step in advising your client as well as protecting your own E&O. If you recommend a subpar policy to a client that has some of these exclusions without carvebacks, or you don’t review this with a client, you could be walking into your own E&O claim if there is no coverage where a client was expecting it.
To learn more about war and terrorism exclusion for cyber insurance, protecting your clients from developing cyber risks, or making sure your own E&O has you covered in the event of a lawsuit, click here to contact us.