The rise of cyberattacks has led to a significant increase in the demand for cyber insurance policies. However, the insurance industry is struggling to keep pace with the ever-evolving threat landscape, which has resulted in a new challenge: insurers are attempting to use the “act of war” doctrine to refuse to pay claims of insured when the attacks that give rise to the claims are perpetrated by state actors or by other belligerents.
Hostile or Warlike Exclusions
On May 1, 2023, the New Jersey Superior Court Appellate Division issued a ruling in the case of pharmaceutical giant, Merck, which was hit by NonPetya attack, which the U.S. government attributed to the Russian government. Merck suffered almost $700 million in losses resulting from the attack, and filed claims with various cyber insurers, each of which had coverage exclusions that excluded “hostile” or “warlike” actions. Based on these exclusions, and the government’s determination that the attacks came from a hostile foreign government, the insurers refused to pay the claims.
The New Jersey appellate court found that the insurers had failed to demonstrate that the attack was a warlike action and affirmed the lower courts’ finding that the insurance companies had to pay.
Act of War Doctrine
The act of war doctrine is a legal concept that has its roots in insurance law. The doctrine states that insurance policies generally exclude coverage for losses that arise from war-related activities. The rationale behind this is that insurance policies are not intended to cover losses that result from events that are beyond the control of the policyholder or the insurer. Rather, they are intended to cover losses that are the result of fortuitous events, such as accidents or unforeseen events. Typically, the doctrine has been used to refuse claims when factories in combat zones are bombed or destroyed or other “kinetic” attacks on infrastructure.
In the context of cyber insurance, the act of war doctrine has been invoked by insurers to argue that losses arising from cyberattacks perpetrated by state actors or other belligerents are not covered under the policy. Insurers argue that such attacks are akin to acts of war and, as such, fall outside the scope of the policy’s coverage.
Exclusionary Language in Cyber Insurance Policies
Cyber insurance policies typically contain a number of exclusions that limit the scope of coverage. One of the most common exclusions found in cyber insurance policies is the “act of war” exclusion. This exclusion typically states that losses arising from acts of war or war-related activities are not covered under the policy.
Most popular cyber insurance policies in the market, contains an exclusion pertaining to losses or damages resulting from an act of war, declared or undeclared.
For example, in the Merck case, the exclusion stated:
“[t]his policy does not insure” against:
Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack:
- By any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval, or air forces;
- Or by military, naval, or air forces;
- Or by an agent of such government, power, authority, or forces.
These exclusions are designed to limit the scope of coverage and to ensure that policyholders understand that losses arising from acts of war or war-related activities are not covered under the policy.
Rise of Cyberattacks by State Actors
According to the U.S. government, the number of cyberattacks by state actors has increased significantly in recent years. In 2020, the Cybersecurity and Infrastructure Security Agency (CISA) reported that it had responded to a record number of incidents involving state-sponsored cyber actors.
One example of such an attack was the 2017 WannaCry ransomware attack, which was widely attributed to North Korea. The attack affected more than 200,000 computers in 150 countries and caused an estimated $4 billion in damages.
Another example was the 2014 Sony Pictures hack, which was widely attributed to North Korea. The attack resulted in the theft of confidential information, including employee data and unreleased movies, and caused an estimated $100 million in damages.
Merck and NonPetya: Cases in which Insurers Have Attempted to Exclude Coverage
In the Merck case, the insurers attempted to rely on the “hostile” or “warlike” exception to coverage, noting that the attack came through a Ukrainian provider, was likely launched by the Russian government, and was likely done as an act of war by the Russian government. Nevertheless, the lower court found that the broad exclusionary language did not apply to cyberattacks noting:
The evidence suggests that the language used in these policies has been virtually the same for many years. It is also self-evident, of course, that both parties to this contract are aware that cyberattacks of various forms, sometimes from private sources and sometimes from nation-states, have become more common. Despite this, Insurers did nothing to change the language of the exemption to reasonably put the insured on notice that it intended to exclude cyberattacks. Certainly, they had the ability to do so. Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.
The insurers, obviously disagree. They noted that the language of the exclusion clearly excluded attacks which were either warlike or hostile. The NonPetya attack, by a foreign sovereign, was clearly “hostile.” Here the court notes that the exclusion is not for government actions but for actions of hostile “military” entities, noting:
“The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action.”
Indeed, the group most likely responsible for the NonPetya attack was APT29 or Cozy Bear, which is a department of Russia’s Foreign Intelligence Service, not its ministry of defense.
Mondelez International v. Zurich American Insurance Company
The use of the act of war doctrine by insurers to exclude coverage for losses arising from cyberattacks perpetrated by state actors or other belligerents has led to a number of legal disputes. In some cases, insurers have attempted to deny coverage for such losses, while in others, policyholders have challenged the applicability of the act of war exclusion.
One such case was the Mondelez International v. Zurich American Insurance Company lawsuit, a global food and beverage company, suffered a significant cyberattack in 2017 that was widely attributed to Russia. The attack caused widespread disruption to Mondelez’s computer systems and resulted in the loss of millions of dollars in revenue.
Mondelez filed a claim with its insurer, Zurich American Insurance Company, seeking coverage under its property policy. However, Zurich denied the claim, citing the act of war exclusion in the policy. Zurich argued that the attack was an act of war, and therefore, the policy did not cover the resulting losses.
Breach of Contract and Bad Faith
Mondelez subsequently filed a lawsuit against Zurich, alleging breach of contract and bad faith. Mondelez argued that the act of war exclusion did not apply to the cyberattack, as it was not a traditional act of war. Mondelez also argued that Zurich had acted in bad faith by denying the claim without conducting a proper investigation.
The case went to trial in 2019, and the court ultimately ruled in favor of Mondelez. The court held that the act of war exclusion did not apply to the cyberattack, as it was not a traditional act of war. The court also found that Zurich had acted in bad faith by denying the claim without conducting a proper investigation. The parties ultimately settled the claim in October of 2022.
Challenges for Policyholders
The Mondelez case is just one example of the challenges that policyholders face in obtaining coverage for losses arising from cyberattacks perpetrated by state actors or other belligerents. The use of the act of war exclusion by insurers has resulted in a number of legal disputes, with policyholders often challenging the applicability of the exclusion.
Challenges for Insurers
The rise of cyberattacks by state actors and other belligerents has presented a significant challenge for the cyber insurance industry. Insurers are struggling to keep pace with the ever-evolving threat landscape, and the use of the act of war doctrine to exclude coverage for losses arising from cyberattacks perpetrated by state actors has led to a number of legal disputes.
As the threat landscape continues to evolve, it is likely that insurers will need to revisit their policies and exclusions to ensure that they are keeping pace with the latest risks. It is also likely that the courts will continue to be called upon to adjudicate disputes between policyholders and insurers over the scope of coverage under cyber insurance policies.
What Insured Entities Can Do
While the use of the act of war exclusion by insurers to deny coverage presents a significant challenge for insureds, there are steps that insureds can take to ensure that they have coverage for such losses.
Review Your Policy Carefully
The first step in ensuring that you have coverage for losses arising from cyberattacks is to review your cyber insurance policy carefully. Look for any exclusions or limitations that may affect your coverage, including the act of war exclusion. Make sure that you understand the scope of your coverage and any limitations that may apply. The Merck court faulted the exclusionary language as being ultimately too broad and not tailored to specific state sponsored cyberattacks. You can expect insurers to add more specific exclusions based on the identity or motivation of the threat actors, or the tools used. That’s why it’s important to read the policy and exclusions carefully.
Consider Separate Coverage for Acts of War
If you are concerned about the applicability of the act of war exclusion, you may want to consider purchasing separate coverage for acts of war. Some insurers offer policies that specifically cover losses arising from acts of war, including cyberattacks. While this type of coverage may be more expensive, it may provide you with greater peace of mind in the event of a loss. If you go that route, make sure that the new coverage actually fills the gap provided by the exclusion. For example, if the exclusion excludes coverage for attacks by any foreign sovereign and your “act of war” policy covers only attacks by military agencies, you may have a gap in coverage.
Consider the Specific Threats to Your Business
The specific threats to your business will depend on a number of factors, including the industry in which you operate, the types of data that you handle, and your geographic location. Consider the specific threats that your business may face and make sure that your cyber insurance policy provides coverage for those threats. For example, if you operate in a region where state-sponsored cyberattacks are common, you may want to ensure that your policy provides coverage for losses arising from such attacks.
Look to Second or Third Party Coverage
Often attacks come through third parties – cloud providers, partners, etc. If your coverage excludes certain hostile acts, theirs may not have such an exclusion. Thus, if they have coverage for losses to third parties (you) then you may file an action against the responsible third party, who will then seek coverage from their own insurer. You can require third parties with whom you conduct business or to whom you give access to your data or network to maintain adequate insurance policies for certain cyber related losses.
Work with Your Broker or Agent
Your broker or agent can be a valuable resource in helping you to understand your cyber insurance policy and the specific threats to your business. Work with your broker or agent to identify any gaps in your coverage and to find solutions that can help you to mitigate those risks.
Implement Strong Cybersecurity Measures
One of the best ways to protect your business from cyberattacks is to implement strong cybersecurity measures. This includes measures such as employee training, network segmentation, access controls, and regular vulnerability assessments. By implementing strong cybersecurity measures, you can reduce the likelihood of a successful cyberattack and minimize the potential damage if an attack does occur.
While the use of the act of war exclusion by insurers to deny coverage for losses arising from cyberattacks perpetrated by state actors or other belligerents presents a significant challenge for insureds, there are steps that can be taken to ensure that they have coverage for such losses. By reviewing your policy carefully, considering separate coverage for acts of war, considering the specific threats to your business, working with your broker or agent, and implementing strong cybersecurity measures, you can reduce your risk and ensure that you are prepared for the worst-case scenario.
For further information regarding your cyber security, please contact KJK’s Cyber Security, Data Breach and Privacy Chair, Mark Rasch (MDR@kjk.com; 301.547.6925) or another member within the practice group.