麻豆视传媒在线入口

Report

Asking the right questions about war exclusions in the context of cyber operations

This report was first published by Guy Carpenter .

In the last several years, reinsurance and insurance markets have grappled with the meaning of the war exclusion in the context of cyberattacks (or more broadly 鈥渃yber operations鈥). The ongoing Russian invasion of Ukraine, including cyber operations that crashed websites of Ukraine鈥檚 defense ministry and two large Ukrainian banks, underscores the need for contract certainty regarding coverage for state-sponsored cyber operations. Yet, legal guidance on the application of the war exclusion to cyber operations remains elusive. The recent court decision in听Merck v. Ace American Insurance Company et al.,听the first to consider whether a war exclusion applies to a cyber operation, does not provide meaningful answers.

We suggest that stakeholders ask new questions. Over the last year-and-a-half, the Geneva Association, in collaboration with the International Forum of Terrorism Risk (Re)Insurance Pools (jointly referred to here as the Geneva Association), and Lloyd鈥檚 Market Association (LMA) have suggested better ways to think about鈥攁nd clarify鈥攃overage for state-sponsored cyber operations. This article explains the problems posed by traditional war exclusions in the cyber context and how recently drafted clauses, which markets have increasingly adopted, address these problems. We then consider reinsurance implications.

Traditional Questions of Attribution and Characterization

A war exclusion, as used in both standalone cyber policies and general property and liability policies, excludes losses caused by 鈥渨ar鈥 or 鈥渨arlike鈥 actions. Wordings vary, but in practice, the exclusion turns on two key questions: first, is the loss-causing conduct attributable to a sovereign state? Second, is the loss-causing conduct properly characterizable as 鈥渨arlike鈥? These questions create substantial uncertainty in the context of cyber operations.

Identifying the perpetrator of a cyber operation is challenging, costly and inexact. Governments are best positioned to identify perpetrators, but they may not do so publicly. If a government does make a public attribution, its assessment may be influenced by diplomacy, politics and even insurance implications. Further, different governments may take opposing positions on the attribution of a cyber operation.

Once a perpetrator is identified, the relationship between the perpetrator and the relevant state must be determined, which presents another challenging factual issue. Even assuming all the facts are known, a difficult question remains: What kind of state involvement is sufficient to attribute a cyber operation to the state? The wording of a war exclusion may provide little guidance.

It is equally uncertain whether courts will characterize cyber operations as warlike conduct under existing legal precedents governing kinetic warfare. The traditional factors鈥攕uch as the proximity of a cyber operation to a 鈥渢heater of war,鈥 the presence of uniformed, weapon-carrying combatants, and the use of physical force鈥攁re ill-suited to determine whether a state-sponsored cyber operation is 鈥渨arlike.鈥 A cyber operation can serve a state鈥檚 military or diplomatic goals without physical force鈥攆or example, through espionage or data theft.

The first court decision analyzing the application of the war exclusion to a cyber operation,听Merck v. Ace American Insurance Company et al. (New Jersey Superior Court, Jan. 2022),听provides little insight on these core questions of attribution and characterization.

Merck v. Ace American Insurance et al.听Does Not Provide Clear Answers

In June 2017, on the eve of Ukraine鈥檚 Constitution Day, NotPetya malware infiltrated the software of a small Ukrainian firm and then spread to digital media in other countries. NotPetya caused an estimated USD 10 billion of losses, including over USD 1.4 billion claimed by Merck. In 2018, the US publicly attributed the malware to the Russian military. NotPetya was launched in the context of intermittent armed conflict between the Ukrainian military and Russian separatist forces in Eastern Ukraine, which had resulted in thousands of civilian deaths since Russia annexed Crimea in 2014.

Merck had standalone cyber coverage, but the severe damage caused by NotPetya left it underinsured. Accordingly, Merck pursued a separate claim under its 鈥渁ll-risk鈥 property policies. The insurers denied the claim, citing the policies鈥 war exclusion, which excluded losses caused by 鈥渉ostile or warlike action鈥 by an 鈥渁gent鈥 of a 鈥済overnment.鈥 In response, Merck filed suit in New Jersey state court.听

In its decision, the court avoided the questions of attribution (was the Russian government responsible for the cyber operation?) and characterization (was the cyber operation warlike conduct?) by stacking the deck against Merck鈥檚 insurers. The court invoked a technical principle of contract law called听contra proferentum,听which means that ambiguities in an exclusion should be resolved against the insurer and in favor of finding coverage. The court ruled that the war exclusion did not apply unless Merck鈥檚 interpretation of the exclusion was 鈥渆ntirely unreasonable.鈥澨

Measured against this high standard, the court 鈥渦nhesitatingly鈥 concluded that the war exclusion did not apply because no court had ever applied a war exclusion to 鈥渁nything remotely close鈥 to a cyber operation. According to the court, if the insurers wanted the exclusion to extend beyond 鈥渢raditional forms of warfare,鈥 they should have clarified their policy language.

The court鈥檚 reasoning is questionable. The New Jersey Supreme Court has held that the principle of听contra proferentum听does not apply to a sophisticated commercial insured like Merck. Additionally, the court did not explain why the broad language of the exclusion鈥斺渉ostile鈥 acts by a government 鈥渁gent鈥濃攄id not encompass cyber operations. Finally, the court ignored the fact that the NotPetya operation took place in the context of traditional forms of warfare in Eastern Ukraine. The decision sheds little light on questions of attribution and characterization of cyber operations. The Appellate Division of the New Jersey Superior Court granted the insurers permission to immediately appeal the ruling, signaling the importance of the issue and the need for clear guidance from a higher court.

The other closely watched case where an insurer invoked the war exclusion to deny cover for NotPetya losses,听Mondelez International v. Zurich American Insurance Company (Cook County Circuit Court), recently settled during trial.听 Thus, even after the听Merck听case is resolved, guidance on the application of the war exclusion to cyberattacks will exist in only one United States jurisdiction.

Asking Better Questions

The听Merck听decision looks backward to an 鈥渁ll risk鈥 property policy written in 2017. However, market participants have made important improvements to cyber cover in the last 5 years. Exposure to 鈥渟ilent cyber鈥 in general property and liability policies鈥攍ike the policies at issue in the听Merck v. Ace et al.听case鈥攈as been limited through explicit exclusions, affirmative coverage and sub-limits. Additionally, the war exclusion in standalone cyber policies often includes a carve-back for cyberterrorism, even when committed by a state actor.

Progress has also been made on the questions of attribution and characterization. With respect to attribution, industry groups have refined the need for state involvement. To streamline the analysis, the LMA鈥檚 model 鈥淐yber War and Cyber Operation Exclusion Clauses" create a rebuttable presumption that an attribution by the government of the affected country is determinative. Meanwhile, the Geneva Association suggests a 鈥渟pectrum of state responsibility鈥 ranging from state-ignored conduct to state-executed conduct. Specific language regarding state involvement can reduce contract uncertainty.

More significant advances have been made with regard to characterization. The Geneva Association urges market participants to address whether coverage applies to 鈥渉ostile cyber activity鈥濃攕tate-sponsored cyber operations that fall short of 鈥渨ar鈥 or 鈥渨arlike鈥 conduct. LMA鈥檚 new cyber exclusions implement this approach. They are organized around the term 鈥渃yber operation,鈥 which means 鈥渦se of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.鈥 This definition of 鈥渃yber operation鈥 avoids the characterization question, as a policy can cover or exclude all cyber operations attributable to a state鈥攔egardless of whether they are 鈥渨arlike.鈥

Of course, reinsurers and insurers may seek to limit coverage for state-sponsored cyber operations that have the potential for large, correlated losses. LMA exclusions try to provide flexibility in 2 ways. First, the model exclusions apply to cyber operations that have a 鈥渕ajor detrimental impact鈥 on the 鈥渇unctioning of a state鈥 by impairing an 鈥渆ssential service鈥 or the 鈥渟ecurity or defen[s]e of a state.鈥 NotPetya, while harmful to Merck and other companies, did not impair an essential service vital to the functioning of a country. If NotPetya had triggered a widespread power outage, or disrupted a large proportion of a country鈥檚 food supply, this type of exclusion could apply. Second, the exclusions apply to a 鈥渃yber operation that is carried out in the course of war鈥濃攖hat is, a cyber operation that is part of traditional kinetic warfare.

The approaches suggested by the Geneva Association and LMA raise new questions. What level of 鈥渟tate responsibility鈥 is sufficient for attribution? What is the threshold for an excluded cyber operation that impairs an 鈥渆ssential service鈥 or the 鈥渇unctioning of a state鈥? But these are better questions鈥攖hey form part of an ongoing dialogue to clarify coverage for cyber operations and to separate the insurable from the uninsurable.

Further, these questions can no longer be avoided. In August 2022, LMA issued a bulletin requiring managing agents to adopt contract language that addresses these questions in standalone cyber policies. Specifically, wordings must provide a 鈥渞obust basis鈥 to determine attribution, exclude cyber operations that significantly impair the functioning or security capabilities of state, and declare whether coverage exists outside a country whose functioning or security capabilities are substantially impaired by a cyber operation. Wording amendments to help clarify these issues are already being circulated in the market, and we expect the LMA to refine its guidance in response. Ultimately, this dialogue will help create a stronger market for cyber insurance.

Reinsurance Implications

As cyber exclusions evolve, cedents must confirm that their reinsurance contracts provide adequate cover. Many reinsurance treaties have war exclusions that apply 鈥渁s per the Company鈥檚 original policy,鈥 or similarly, state that they are inapplicable to original policies with a 鈥淲ar Exclusion Clause.鈥 These provisions create back-to-back coverage鈥攊.e., if the war exclusion in the insurer鈥檚 policy does not apply, then the reinsurer鈥檚 war exclusion will not apply either. Other treaties have a war exclusion that applies when the underlying policy does not have a war exclusion. Still other treaties have a war exclusion that applies without regard to a war exclusion in the underlying policy. The latter two scenarios can create a gap in reinsurance cover and should be treated with the utmost care.

As the dialogue prompted by the Geneva Association and LMA progresses, language in original policies is evolving rapidly and reinsurance contracts need to adapt. Accordingly, cedents should monitor whether exclusions in their reinsurance contracts remain 鈥渂ack to back鈥 with any cyber exclusions in their policies. Otherwise, losses from a cyber operation could be covered by an underlying policy but excluded from a reinsurance contract.听

How Guy Carpenter Helps Clients

Guy Carpenter鈥檚 Global Cyber team of brokers, contract consultants, product innovators and analytic experts assists clients with cyber reinsurance needs, including analysis of emerging model wordings, silent cyber stress tests, and scenario modeling for numerous historic and potential threats. As the need to carefully review and consider the shifting wordings of war exclusions grows daily, Guy Carpenter is helping our clients ask the right questions to maximize the value of their cyber reinsurance coverage.

War exclusions in the context of cyber operations


DOWNLOAD PDF