The nature of warfare is changing. Conflicts now rage not only on physical battlefields but also across the digital landscape.

As war is driving cyber security concerns around the globe, more organizations are turning to Cyber Insurance for protection. But these policies may not always offer the levels of protection purchasers think they do. Cyber Insurance war exclusions can leave businesses vulnerable to financial loss.

Russian Cyber Attacks: A Case in Point

Several cyber incidents in recent years illustrate how technological exploits have become intertwined with geopolitical agendas. For example, as of this writing, the war between Russia and Ukraine continues, and it continues to fuel fears of cyber attacks.

Even before the war, the NotPetya ransomware attacks of 2017, which international security experts believe were the work of Russian state-sponsored actors, caused significant disruptions in Ukraine before spreading globally.

Since Russia invaded Ukraine in 2022, a much-anticipated “cyber thunder run” hasn’t materialized. However, Russian-sponsored cyber operations against Ukraine have continued.

In December 2023, for instance, Russian hackers wiped the systems of Kyivstar, Ukraine’s largest telecom provider. The Russian cyber attack left 25 million subscribers without internet access. According to NATO Secretary General Mark Rutte, Russia is intensifying hybrid attacks across Western Europe, “interfering directly in our democracies, sabotaging industry, and committing violence.”

Russia isn’t the only actor in current cyber geopolitics. Security experts also believe China and Iran pose significant cyber risks.

China’s quest for “independence from the West” has led it to conduct state-sponsored campaigns of “cyber espionage and intellectual property theft,” Lior Div told cyber security firm ExtraHop. He also thinks Iran may shift from its strategy of using affiliate groups to directly conducting espionage and destructive cyber operations.

Understanding the Gray Zone in Cyber Conflict

The examples above may give the impression that identifying state involvement in cyber warfare is always a straightforward matter. It isn’t. The difficulty in settling questions of attribution for cyber incidents linked to warfare is the “gray zone.”

In the gray zone, distinctions between state and non-state actors become blurred. Cyber operations can be conducted by state-sponsored groups, independent hackers, or criminal organizations that may claim to act on behalf of a sovereign power and its political objectives.

The gray zone poses significant challenges for not only legal frameworks but also insurance policies. Existing frameworks often don’t account for the gray zone’s nuances, leading to significant gaps in coverage.

For example, when the NotPetya malware attacked pharmaceutical giant Merck, it brought down more than 40,000 of the company’s machines. Despite carrying stand-alone Cyber coverage, Merck found itself underinsured. Its carrier denied coverage under a war exclusion clause, claiming the malware was meant to disrupt Ukraine and should be considered a military action, not a standard cyber attack.

Merck won an appeal against and ultimately settled the coverage dispute with its insurers. Yet this high-profile case illustrates the insurance industry’s need to evolve policy language to address contemporary cyber risks, including state-sponsored cyber attacks.

Ambiguity in Cyber War Exclusions Causes Problems

A Cyber Insurance war exclusion is a specific clause in Cyber carriers’ policies limiting or eliminating coverage for losses that result from acts of war or warlike actions, including cyber warfare.

However, these clauses still often contain ambiguous and broad language. As a result, interpretations can vary across different jurisdictions and contexts, leading to uncertainty about what types of cyber attacks the policy may or may not cover. Insurers may exclude damages from politically motivated or state-sponsored attacks, interpreting them as “collateral damage” from a cyber war.

Given the increasing prevalence of cyber attacks in war, this ambiguity in Cyber Insurance “act of war” clauses has become a major concern. It creates potential for legal disputes and challenges when determining whether policyholders are covered in the event of a cyber incident that could be construed as an act of cyber warfare.

“If it’s a declared state-sponsored foreign actor—which it rarely is, by the way—that’s not covered because it’s a state action,” says Doug Howard, CEO of cyber security firm Pondurance. “But that’s a pretty dangerous road to go down for an insurance company. The exclusion is also a competitive variable for companies choosing a Cyber Insurance policy.”

Help Your Clients Understand Their Cyber Policies’ War Exclusions

For companies holding or considering Cyber Insurance policies, Cyber war exclusions necessitate a careful review of policy language and coverage scope.

As your client’s trusted broker or agent, your job includes:

• Reviewing Exclusion Clauses
  Understand key terms related to cyber war exclusions in the policy, and make sure your client understands them, too.
  
• Seeking Legal Precedents
  Rely on qualified legal advice to navigate complex insurance implications.
  
• Adapting Coverage
  Work with insurers to adjust coverage to encompass the nuances of modern cyber threats.
  

Registered ProWriters brokers have access to powerful technology, a wide range of educational resources, and experienced experts to help them find, quote, and interpret for clients robust Cyber Insurance policies from leading carriers at competitive rates.

Register now with ProWriters, or call us at 484-321-2335 to talk about how we can help you secure the coverage your clients need against today’s cyber risks.