The invasion of Ukraine by Russian forces has put most of the world’s nations on edge, fearing a host of potential impacts from rising prices to assured mutual destruction should nuclear weapons be deployed.
While the full impact of the conflict remains to be seen, world governments are presently warning of the increasing possibility of cyber-attacks from foreign assets. This is a non-military route of retaliation for sanctions placed on Russia by nations across the globe.
Are Policies Worded to Include Damages from Cyber-Attacks?
A significant concern among Australian businesses is not if the cyber-attacks will happen but if such attacks are excluded from cyber insurance policies. There is a legitimate concern regarding a lack of historical precedence and the consistently evolving technology producing new vulnerabilities. The fear is that significant gaps in the policy language may leave businesses to absorb at least some of the costs associated with cyber-attacks.
Coverage Determined by Policy Language and Circumstances Surrounding the Attack
Because of the unprecedented nature of these circumstances, predicting cyber insurance policy exclusions is challenging. While several factors are at work, one of the critical language concerns is whether or not a cyber-attack is an act of war or a criminal endeavour apart from international conflict.
The majority of insurance policies have clauses excluding payment for damages caused by acts of war.
To determine if a policy excludes the type of attacks that governments believe would come from Russia, exploring how ‘war exclusion’ is defined in insurance policies is necessary.
War Exclusions pertain to losses that come from:
- War, including undeclared or civil war
- Warlike action by a military force
- Defence against an attack (or expected attack) by a government, sovereign or authority using military personnel or other agents
- Rebellion, revolution, insurrection, or usurping of power
- Actions that a government takes to defend against the attempted revolution, rebellion, or insurrection
According to this definition of acts of war, acts of cyber-terrorism would be covered by cyber insurance policies.
However, inclusions and exclusions to coverage depend on whether the actions taken against a business via computer are defined as cyberterrorism.
For insurance purposes, cyberterrorism includes disruptive activities used indirectly or directly against a computer system
- By an individual or group of individuals with the intention to,
- Cause harm
- Intimidate persons
- Further political, religious, ideological, or social causes
- The explicit threat by an individual or group of individuals to carry out such activities with the intent to cause harm and disruption
- By definition, acts of cyberterrorism are not aligned with any activities that support military operations, acts of war, or warlike operations
Interpreting the exclusions involves looking at the details surrounding the loss based on what the typical person would define as war. For example, a war would commonly be defined by the presence of uniformed military, heavy armaments, a battle plan or other attack strategy, and a concerted effort to organise activities against another group or nation.
The fact that this type of insurance issue has not played out in court increases the concern that attempts to sue insurance companies could fail. The facts surrounding a cyber-attack and how courts interpret them will be instrumental in determining whether the acts of war exclusion are valid and may become a situation judged on a case by case basis.
One of the cases with elements similar to the present situation played out in a United States court in late 2021. The case was filed by pharmaceutical company Merck in in response to its property insurer invoking the acts of war exclusion on a claim stemming from a 2017 cyber-attack.
The attack was a part of hostilities by Russia against Ukraine and disrupted Merck significantly. The company’s losses were approximately 1.4 billion US dollars.
Merck won its suit against its insurer because the insurance company did not list cyber-attacks as part of the acts of war exclusions list. The court noted that Merck had the right to expect payment because the policy described exclusions based on traditional forms of war.
The case leaned on the idea that cyber-attacks made against third parties uninvolved in a military conflict should not trigger the acts of war exclusion because the victim did nothing to put itself in harm’s way.
It is worth noting that decisions handed down from United States courts may have little influence in Australian court cases.
During the present military conflict, fears are easily stoked. However, it is best to stay calm and focus on what can help your tech stay safe. Make sure your firewalls and security systems are running at peak efficiency. Train your employees regarding extra safety measures you may implement and avoid any unnecessary online risks.
If you have questions or concerns regarding your cyber insurance policy or other matters, please do not hesitate to contact Grace Insurance. Our team of professionals are here to answer your questions and make sure all facets of your business are well protected.