Conflicts and rivalries between nation states are increasingly being played out in cyber space, from cyber espionage and theft of intellectual property to sophisticated attacks resulting in physical damage and widespread disruption, as seen with the 2017 NotPetya malware attack. 

That attack caused damage and disruption at over 2,000 companies in 65 countries (according to RMS), including shipping company Maersk (which reported NotPetya losses of USD300m), logistics firm FedEx (USD300m), consumer goods company Reckitt Benckiser (USD100m) and construction group Saint Gobain (USD393m).

Cyber attacks backed by nation states raise interesting considerations for insurance contracts, which typically include exclusions for acts of war and other forms of conflict. Incidents like the NotPetya cyber attack have resulted in coverage disputes and highlighted the need for buyers to look beyond their property and casualty policies for protection against cyber attacks. 

A number of those companies affected by NonPetya are now involved in coverage disputes with insurers over cyber claims. The two most high profile cases involve US food manufacturer Mondelez, known for its Oreo and Cadbury brands, and pharmaceutical company Merck. Both companies are suing their respective property insurers after the carriers denied NotPetya claims by triggering a war exclusion in their respective all-risk property polices.

Mondelez filed a complaint in October 2018 against its property insurer Zurich Insurance for USD100m in property damage and business interruption losses arising from the 2017 cyber attack. Merck, which has reported NotPetya losses of almost USD700m in 2017 and 2019, also filed a complaint against ACE and other insurers after they reportedly used a war exclusion to deny coverage. 

War exclusions

These types of disputes have helped spark debate around war exclusions and whether they are fit for purpose with respect to cyber risks. Property/casualty insurers are concerned that they may no longer be able to rely on war clauses, while buyers worry that carriers could use war clauses to deny claims for cyber events such as the NotPetya attacks.

War and terrorism exclusions are an established and important component of insurance, a reflection of reinsurance coverage and regulatory considerations. These exclusions vary by insurer and line of business, but most wil include language like “act of foreign enemy, hostilities or warlike operations, whether war be declared or not” – which has now been used by insurers to deny cover for a cyber event attributed to a nation state. 

The US government has blamed Russia for the NotPetya attack, but the burden of proof sits with Zurich and ACE, which will need to convince the courts that the war clauses apply. However, attributing a cyber attack to a nation state is very difficult, while an insurer would also need to demonstrate that an incident would fall under the policy definition of war or hostile action. 

Arguments can be made that today’s wordings appear out of touch with the reality of cyber conflicts. It is likely that insurers will now move to tidy-up war clauses in order to provide more clarity of coverage around cyber events such as NotPetya. It is also likely that the specialist cyber insurance market will clarify war exclusions in order to provide certainty of cover for non-war cyber conflicts like NotPetya.

Silent cyber

The NotPetya malware outbreak has also drawn attention to the wider issue of silent cyber, also known as non-affirmative cover. Where cyber losses may be covered under a traditional property/casualty policy, this is often not explicitly referred to in the wording and is on occasion not underwritten fully by the insurer. Property Claim Services (PCS) data estimates insured losses from the NotPetya attack are in excess of USD3bn, yet some 90% are from silent cyber, according to Reinsurance News website.

Fear of large silent cyber exposures, coupled with regulatory pressure, are leading some insurers to tackle non-affirmative cover – the London market has, for example, issued a number of model wordings that explicitly exclude cyber, paving the way for affirmative cover under write-backs and extensions. Several global insurance carriers are also pursuing strategies of affirmative cover, replacing silent cyber with affirmative cover, exclusions and extensions. 

The UK’s Prudential Regulatory Authority (PRA) recently wrote to UK insurers in January 2019 requiring a silent cyber action plan by the end of Q2 2019. The PRA wants insurers in London to actively manage silent cyber risk, either clearly excluding cyber such risks, or including them and pricing for them accordingly.

Conclusion

Recent events offer further evidence that buyers of commercial insurance cannot rely on non-affirmative cover in traditional property/casualty policies, or a loose blending of policies, to protect themselves against cyber losses. Such a strategy will result in uncertainty of coverage for cyber risks and carries a higher risk of a coverage dispute. 

In contrast to the property/casualty market, the standalone cyber insurance market has expertise in cyber and carriers are increasingly clear on the coverage they are willing to underwrite. Through confidence in the intent of cover, the cyber insurance market has largely avoided taking an adversarial approach to settling cyber claims, including those from NotPetya. 

By working with a specialist wholesale broker like Miller, North American brokers and their clients can access specialist cyber expertise and capacity, including coverage for the nefarious activities of nation states.