Even though it is below zero in Eastern Europe right now, tensions along the Ukrainian border are close to boiling. As the possibility of large-scale cyber incidents grows, insurance professionals and businesses alike should review their cyber liability policies and the war clauses included within them. Although, new clarifications released by Lloyds of London on war clause exemptions would seem to indicate that insurers will be tightening their purse strings.
Explaining Lloyd’s War Clauses
As a result of the recent release of four model clauses, a clearer picture is emerging about the losses that will be excluded from cyber warfare. Notably, the publication of these clauses preceded the recent win of $1.4 million against Merck’s insurer, who refused to pay out losses due to NotPetya’s 2017 incident. The landmark case made a clear distinction between acts of war and cyberattacks, highlighting how policies that fail to take into account the nuances of cyber risk to a great extent fail to address the true impact of silent cyberattacks.
In response to NotPetya (and other state-sponsored attacks), Lloyd published new model clauses for war exclusions. A number of insureds are likely to be disappointed to find themselves once again disenfranchised by broader, standardized definitions of “war” and “cyber operations” and stricter exclusions surrounding these terms. As a result of Lloyd’s policies, insurers will have a broader range of options to deny coverage beyond the traditional understanding of “war” between sovereign states. Based on a standardized definition of key terms, the model clauses have created four levels of coverage. Cyber losses caused by “war” and some “cyber operations” have been excluded.
According to all four clauses, “war” means physical force used by a state, government, or local authority against another state, government, or local authority in the course of civil war, insurrection, confiscation, nationalization, or destruction of property. As a result – theoretically, almost any physical force could fall within the scope of this exclusion and go beyond our traditional understanding of what constitutes “war.”
The term “cyber operations” also refers to the use of a computer system “by or on behalf of a state” to disrupt, deny, manipulate, or destroy information of another state. Perhaps most notably, Lloyds has included cyber operations that have a “major detrimental impact” on a state’s function in its standardized definitions in an effort to avoid liability for attacks on critical infrastructure (such as Colonial Pipeline). As attribution of cyberattacks is a complex and time-consuming process, this language continues to muddy the waters for insureds and their brokers. Further, the new exclusion clauses make it clear that, pending government attribution, insurers will be able to attribute cyberattacks to state-sponsored activities based on “objectively reasonable inferences.”.
The first model clause contains the strictest terms: it excludes all losses resulting from cyber operations. A second model clause is a little more lenient, specifying coverage limits for losses not caused by cyber operations between named nations. However, the third model clause does not mention any particular countries to which the exclusion applies. In the fourth model clause, the insured is covered for the effects on “bystander cyber assets,” which are defined as “a computer system used by the insured or its third-party service providers which is not physically located in an impacted state but is affected by a cyber operation”.
Undoubtedly, the new clauses mean more risk and less payout. One positive aspect for insureds is that the insurer must prove that the applies.
A Global Ripple Effect of Moscow’s Cyber Aggression
Recent headlines have been dominated by the gathering of Russian troops at the Ukrainian border. There is only one question on everyone’s mind: “Will they, or won’t they”?
At the same time, cyber operations have long been underway. Russia has interfered in Ukrainian elections and power grids using cyber techniques in order to undermine Ukraine’s government and private sector organizations, scare and subdue the populace, and promote its intense interests in the region. During previous military conflicts in eastern Ukraine, Russia used cyber techniques to disrupt Ukrainian satellite, cellular, and radio communications.
However, Moscow has not stopped with Eastern Europe in its cyber-attacks – some public policy researchers interpreted Russia’s 2018 UN (United Nations) resolution to revisit cyberspace rules to disguise state surveillance over the internet as state sovereignty. Even today, some of the Kremlin’s repeated attacks on the West are still being felt and investigated – such as the recent SolarWinds attack on US infrastructure. Russia has also escalated its efforts against the United Kingdom by spreading rumors about British.” troops in Estonia via bots during a NATO military exercise taking place in 2017.
In the middle of January, Russian authorities were suspected of hacking and defacing the Ukrainian government’s websites. Meanwhile, Microsoft discovered evidence of debilitating malware that was being used against multiple organizations in Ukraine – with “geopolitical events” being cited as one of the probable causes.
Following NotPetya, US governmental agencies urged critical infrastructure operators to strengthen their cybersecurity efforts. It has been reported that the 2017 NotPetya attack, which was initially aimed at Ukraine, crippled international ports, businesses, and supply chains around the globe due to its highly viral malware code. Today, insurers still settle claims as a result of the attack – such as the recent Merck case – as a result of the attack. The White House construed the attack to be the most destructive and costly cyberattack in history, estimating the total cost of the attack to be $10 billion (about $31 per person in the US).
It appears that history may be repeating itself: destructive malware seen in Ukraine in January, called WhisperGate, is similar to NotPetya, although it is not as sophisticated and viral as its predecessor. Recently, a series of DDoS attacks rendered the websites of the Ukrainian army, the ministry of defense, and major banks inaccessible. The defense ministry has confirmed the possibility that Russia may have been involved in the attacks, but the attribution process will take some time. In the event that Russia had indeed been behind these attacks, it may very well have leveraged them in further diplomatic negotiations down the road.
What does this mean for us?
It has become apparent that the cyber insurance industry is faced with a number of challenges, including a limit on capacity, silent and systemic cyber risks, and volatile trends in the cybersphere. Currently, Lloyd’s war exclusion clauses suggest that insurers take a more cautious approach towards nation-state cyber activity, which is another sign of our hardening markets. Insureds, their agents, and their brokers would do well to go over their policies and their operations to make sure that they have an adequate transfer mechanism in place to deal with any foreseeable risks. In the cybersphere, it appears as though there are bumps in the road ahead, and now more than ever, cyber literacy is a vital part of economic survival.