We recently published a blog post highlighting the impacts of the Russian-Ukraine conflict on cyber insurance. We now have additional information on this matter to share with you.
Cybersecurity insurance market professionals are anticipating that the ongoing conflict between Russia and Ukraine will likely lead to an increase in cyber attacks and insurance claims.
Industry professionals note that most cyber insurance policies do include war exclusions. However, applying those exclusions depends on the language in the policies as well as the context and facts related to each cyber attack.
War exclusions will be the key to determining whether the cyber insurance market will face a significant claims aggregation event.
War exclusion wording
According to a recently released report by Lockton, there is no industry standard for war exclusion wording in cyber insurance policies. However, Lockton did note that some general exclusions do not apply to cyber terrorism.
Lockton provided key themes based on general wordings found in cybersecurity policy exclusion:
- War, including undeclared or civil war
- War-like action by a military force, including action in hindering or defending against an actual or expected attack, by any government, sovereign, or other authority using military personnel or other agents; or
- Insurrection, rebellion, revolution, usurped power, or action taken by governmental authority in hindering or defending against any of these.
Interpreting war exclusions: two approaches
US courts that are making decisions interpreting war exclusions are taking two varying analytical approaches:
The more traditional approach focuses on if a specific conflict has been formally declared a war by governments.
The second approach interprets “war” to mean what the ordinary person would think it means. The courts look at the facts and context of a conflict and if it indicates war. For example, the courts assess the combatants, their organizations, and uniform usage as well as the types of weapons utilized.
Since every conflict, every cybersecurity insurance policy, and every claim are unique, each analysis will be based on fact. Unfortunately, it will be difficult to determine responsibility for many cyber attacks due to the anonymity provided by online environments. Lockton stated that to the best of its knowledge, there has not been a United States court to consider war exclusion in a cybersecurity insurance policy yet.
Cyber attacks are coming
Even though the industry has not yet seen an increase in cyber attacks attributed to the Russia-Ukraine conflict, authorities and regulators have warned that cyber attacks are coming.
The White House recently highlighted the importance of enhancing cyber defenses at both public institutions and private organizations. Cybersecurity professionals anticipate that oil and gas companies, electrical grids, healthcare facilities, financial services, as well as construction firms could be particularly vulnerable.
