Businesses should be aware that due to increasing geopolitical instability, there is an increased risk of cyberattacks. Particularly in light of the Merck case, they should therefore consider carefully reviewing the scope of their insurance policies to ensure sufficient coverage.
Losses due to cyberattacks
The use of cyberattacks is a common feature of geopolitical conflicts,1 and there is evidence that hacks of private and public organizations are on the rise, including the emergence of new malware that wipes data.2 Called “HermeticWiper” by ESET, a cybersecurity company based in Slovakia,3 it has been claimed that the “sophisticated and focusedThe attack was probably a creation of a nation state.4
The ability of malware to spread across borders is well known. In 2017, the emergence of the NotPetya malware during the conflict in Ukraine finally spread globally, costing insurance companies over $3 billion in total,5 and causing significant damage and disruption worldwide, including to the computer systems of DLA Piper LLP, a global law firm, and Merck, a German pharmaceutical giant.6
In response to losses caused by cyberattacks, in the absence of a stand-alone cyberpolice, many companies have sought to rely on the coverage provided by All Risks policies. All-risk policies are designed to provide cover against physical damage to property, but many pre-2018 policies do not explicitly or implicitly exclude cyber risk and may therefore provide cover, referred to as “silent cyber” by the industry. insurance.7
Where there is evidence that a cyberattack was developed and deployed as a weapon by a nation state, insurers have sought to rely on wartime exclusions. A war exclusion clause is a typical provision of comprehensive policies, which excludes coverage for damage caused by “acts of war or hostility”.
Merck and International Indemnity v ACE (et al.)
In the recent decision of Merck and International Indemnity v ACE (et al.), the New Jersey Superior Court rejected attempts by insurer Ace American to exclude coverage from an all-risk policy held by German pharmaceutical giant Merck for losses caused by the NotPetya malware totaling more than 1.4 billion dollars. Ace American had sought to argue that NotPetya was an instrument of the Russian Federation (although officially denied) and had been deployed as part of a larger offensive campaign against Ukraine in 2017. As a result, any losses were excluded under a war exclusion clause.8
The Court, while relying to a large extent on the doctrine of “reasonable expectations of the insuredunder New Jersey law, noted that:
(i) “…no court has applied a war (or hostile acts) exclusion to anything close to the facts” and
(ii) although they are “aware that cyberattacks…from private sources and sometimes nation-states have become more common…Insurers have done nothing to change the wording of the exemption to to reasonably inform such insured that he intended to exclude cyberattacks”.9 Accordingly, the Court concluded that “Merck was perfectly entitled to provide that the exclusion applied only to traditional forms of warfare” and not to cyber-attacks such as NotPetya.ten
The Court did not address the central issue of attribution and therefore provided no guidance on how to attribute cyberattacks to a nation state, seen as essential to crafting effective war exclusion policies. .
Although it is an American decision, the Merck This case highlights that it is possible for policyholders to obtain cyber cover under comprehensive policies even when there is evidence that a cyber attack has been weaponized by a nation state, unless such losses are explicitly excluded via clear and comprehensive policy language. That said, after the Merck cases and with the focus on the issue, courts may be increasingly receptive to arguments that, in the absence of specificity, country-sponsored cyberattacks are excluded from coverage.
Attribution to a nation state
Whether cyberattacks are excluded under the war exclusion clauses will be a question of fact in each case, as well as of law, since “war” is generally a term declared by governments, not by private actors.
In order to exclude coverage under a wartime exclusion, insurers must be able to factually attribute such a cyberattack to a particular nation-state (which may be difficult to do without access to classified intelligence), and that, in legal terms, the attack rises to the level of war. Attribution is a particularly difficult challenge with cyberattacks, where perpetrators may have taken steps to conceal the origins of the attack and where the lines between state and non-state sponsorship are blurred.11 Cyberattacks are also inherently more questionable than physical attacks. Governments also tend to reserve the power to determine whether a particular use of force amounts to armed conflict, and whether cyberattacks necessarily amount to a use of force remains open to debate.
Can policyholders rely on stand-alone cyber policies to cover cyber war losses?
Clarify the extent and sufficiency of coverage has never been more important.
For several years, insurers have largely excluded all cyber cover from All Risks policies via explicit cyber exclusions. However, stand-alone cyber policies can still cover losses resulting from cyber attacks carried out by state actors, provided that they do not include a war exclusion clause adapted to the cyber risk.
In the UK, the Lloyd’s market published four cyber warfare and previous cyber operations exclusion clauses in November 2021 for use in stand-alone cybersecurity policies,12 which provide different levels of coverage against cyberattacks that are not excluded by the definition of war, cyberwarfare or cyberoperations having a major detrimental impact on a State. Previous Lloyd’s clauses contain slightly different exclusions, but all exclude loss”goes through or accordinglyof a cyber operation, as defined below:
“Cyber operation means the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate, or destroy information in a computer system of another state or in another state.”
All of the foregoing Lloyd’s clauses contain the same allocation provision, which determines that the “The primary but not exclusive factor in determining the attribution of a cyber operation is whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf”. Pending this determination, the insurer may rely on “objectively reasonable inference”. The burden of proof is on the insurers to prove that the exclusion applies.
Define the “state governmentmay pose problems for insurers, as the draft clauses do not contemplate a situation in which different state actors might take different positions on the origin of cyberattacks. Furthermore, attribution of acts of cyber warfare based on what state intelligence and security agencies say is also potentially problematic, as the mandate of these bodies can be political. No example of “objectively reasonable” inferences are provided.
With an increased risk of cyberattacks due to growing geopolitical instability, policyholders should carefully review their policies to determine if they have sufficient cyber cover, and if in doubt, they should seek to include greater coverage. clarity, be it in any case. risk policies or in stand-alone cyber policies.