10 Min Read

War exclusions in cyber policies: an overview

Read more

By Julian Miller & Tom Evans

|

Published 30 March 2023

Overview

This article was originally published on Practical Law and is reproduced with the permission of the publishers.

This article provides an overview of the use of war exclusions in cyber insurance policies, the background to the use of war exclusions in cyber policies, some of the typical exclusion clauses used and highlights some potential issues that may arise.

Scope of this article

Cyber risk impacts all organisations, regardless of sector and size.

This article explains cyber war exclusions and provides information on:

  • The background to and recent emergence of cyber-specific war exclusions.
  • The Lloyd’s Market Association's (LMA) model cyber war exclusion clauses.
  • Key terms and features of cyber war exclusions.
  • Coverage of state-sponsored cyber-attacks.
  • The scope for using cyber war exclusion clauses in other insurance policies.
  • Potential issues with cyber war exclusion clauses.

For more information on cyber insurance, including the type of risks covered and some typical insurance terms, see Practice note, Cyber insurance: an overview (w-026-4193).

Background

Cyber war risk is considered to be systemic in nature; in other words, the risk posed is to an entire system, including all of its component parts, not merely to individual organisations. Given our reliance on digital infrastructure, there is little question that a small number of states hold within their gift offensive cyber capabilities with the scope to cause incalculable economic damage, which the insurance market simply could not withstand. It is against these such risks that cyber war exclusions have been designed to act.

Excluding war perils has been a feature of insurance for centuries. Indeed, to exclude "all war" remains a fundamental requirement of compliance for policies written at Lloyd's of London (Lloyd's). Up until the late twentieth century, the exclusion of war perils was a comparatively unambiguous exercise. One of the most widely used war exclusions, NMA 464, met the case and remained largely unaltered in its wording since before the Second World War. It was adopted across a number of classes of insurance and throughout the Lloyd's market. NMA 464 is worded as follows:

Notwithstanding anything to the contrary contained herein this Certificate does not cover Loss or Damage directly or indirectly occasioned by, happening through or in consequence of war, invasion, acts of foreign enemies, hostilities (whether war be declared or not), civil war, rebellion, revolution, insurrection, military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority.

The events of September 11, 2001 fundamentally shifted how war was viewed by governments, both in terms of who could be considered a combatant and how terrorism could intersect with the actions of a State's governing regime. In the years that followed, means and methods of warfare evolved significantly and the Stuxnet malware operation against Iran’s uranium enrichment facility in 2010 proved unequivocally that cyber means, employed by states, could generate kinetic effects and significant physical damage.  

Events in 2014 brought this enmeshing of cyber as a means and method of warfare sharply into the public consciousness, when Russia is believed to have sponsored the launch of an unprecedented campaign of cyber-attacks against various Ukrainian organisations and businesses operating in Ukraine. Perhaps the most widely publicised of these was the NotPetya attack. Launched in 2017 against Ukrainian infrastructure targets, NotPetya was a zero-day wiper application which exploited a vulnerability in Microsoft operating systems and was launched in an indiscriminate fashion.  As such, it was not contained within its target's network, but spread freely, impacting countless public and commercial enterprises and causing billions of dollars' worth of damage.  

One such impacted organisation was Merck, a multinational pharmaceutical firm, which claimed against its insurers under an all risks policy. The insurers denied coverage, based on a pre-existing war exclusion, maintaining that the NotPetya cyber-attack amounted to a war-like action and that any resultant damage was therefore excluded from cover. Merck sued the insurers that had not settled its claim and in early 2022 won its application for summary judgment. The court of first instance in New Jersey (the New Jersey Superior Court) ruled that, under New Jersey law, had insurers wished to exclude state-sponsored cyber operations from cover, they should have done so explicitly (Merck & Co v Ace American Insurance Company (No UNN-L-002682-18). The ruling at first instance has been appealed, though the judgment on appeal is yet to be published. In any event, the judgment has encouraged insurers to re-focus their efforts on generating robust cyber-specific war exclusions which would apply in the case of catastrophic, or systemic, losses caused by cyber operations.

LMA model cyber war exclusion clauses

In London, the LMA had already produced the following four model clauses which could be employed to exclude state-led cyber operations, offering various levels of coverage, so long as they are properly attributed to a state:

  • LMA5564 - War, Cyber War and Cyber Operation Exclusion No. 1.
  • LMA5565 – War, Cyber War and Limited Cyber Operation Exclusion No. 2.
  • LMA5566 - War, Cyber War and Limited Cyber Operations Exclusion No. 3.
  • LMA5567 - War, Cyber War and Limited Cyber Operation Exclusion No. 4

Subsequently, on 16 August 2022, Lloyd’s published Market Bulletin Y5381 (the Bulletin) which updated Lloyd's requirements on war exclusions, extending this to state-backed cyber-attacks. This stipulated that, unless specifically exempted by Lloyd's, all standalone cyber-attack policies falling within risk codes CY (Cyber security data and privacy breach) and CZ (Cyber security property damage) must include a state-backed cyber-attack exclusion, and that this exclusion must endorse all such policies on placement or renewal, from 31 March 2023 onwards.

Following the publication of the Bulletin, the LMA has re-drafted its model clauses in order to account for some of the feedback received from market stakeholders and published the following clauses, which replaced the original suite of clauses:

  • LMA5564A and LMA5564B
  • LMA5565A and LMA5565B
  • LMA5566A and LMA5566B
  • LMA5567A and LMA5567B

The A variants meet the requirements of the Bulletin, but one of the key features of the re-designed clauses is that the B variants omit the clause dealing with attribution. That is, they do not contain agreement as to how a cyber operation is attributed to a state in order to determine whether the exclusion operates. A mechanism for attribution is, however, still required by the Bulletin, so any managing agencies at Lloyd's wishing to partake of the B variant model clauses will have the freedom to apply an alternative attributive methodology, or to apply separately to Lloyd's for an exemption from the requirement.

Key terms and features of cyber war exclusions

Along with the LMA's model clauses, a number of carriers and brokerage firms also worked to develop bespoke cyber war exclusion clauses throughout 2021 and 2022. There are a number of common features. Commonly these will seek to address threshold, attribution and definition. 

One of the key characteristics is to set out a threshold of harm, which must be met or exceeded in order for the exclusion to bite. In some cases, this threshold is described as harm occasioning a "major detrimental impact" to the functioning of the state. In other cases reference is made to  a "widespread event" which is defined with a view to articulating the level of systemic damage which would have to occur in order for the exclusion to be invoked.

A further fundamental characteristic of cyber war exclusions is the need robustly to attribute an operation to a specific state, rather than to a private individual or group. There is potential for some difficulty in this area which is further discussed below (Coverage of state sponsored cyber-attacks); however, it is noteworthy that a cyber operation must be attributable to a nation state in order for an exclusion to apply.

Additionally, cyber war exclusions seek to avoid cover for any cyber operations deployed by parties to an armed conflict. It has, therefore, been a feature of most cyber war exclusions to seek to aid interpretation of what constitutes "war" or "armed conflict" and what might fall outside of it.

Coverage of state sponsored cyber attacks

Discussions over coverage of state sponsored cyber-attacks  often come back to the question of how and when to apply the exclusion. The Bulletin refers to state-backed cyber-attack, but many have sought a more concrete application of the exclusion solely in the context of war. The difficulty is that firm notions of state-on-state war are far less clear cut than they once were, with grey zone activity, or operations below the threshold of war becoming ever more prevalent. Cyber operations are a very significant weapon in the armoury of states looking to achieve a coercive, but deniable, effect. Naturally, insureds want certainty over this, and it might reasonably be felt that as a market, this debate has not reached an end point. It does, however, remain a feature of most cyber war exclusions that should a state-sponsored cyber operation take place outside the context of a war or ongoing armed conflict, in order for an exclusion to apply, the damage caused would have to be of an overwhelming severity and incorporate systemic losses extending far more broadly than individual organisations or enterprises. Accordingly,while it is possible that a cyber war exclusion could apply to a state-sponsored cyber-attack with nothing to do with an ongoing war or armed conflict, to place this into context, it is at least arguable that in the case of NotPetya, some cyber war exclusions would not have applied and cover would have been given.

Scope for using cyber war exclusions in other insurance policies

Both Lloyd's in Market Bulletins Y5258 and Y5277and the Prudential Regulation Authority (PRA) in its supervisory statement on cyber insurance underwriting risk (SS4/17), have strongly discouraged the writing by insurers of "silent cyber" risks, or non-affirmative cover (that is, where cyber coverage is neither explicitly included or excluded within an insurance policy) (see Legal update, PRA policy statement on cyber insurance underwriting risk (w-009-0192)). Therefore,  where an insurer does accept a transfer of cyber risks, this should be explicit, with appropriate limits and definitions of key terms. Within a Lloyd's context at least, the writing of war risks is constrained as, except in limited circumstances, such risks cannot be written without the prior agreement of Lloyd’s. Where cyber risks are written in policies which are not stand-alone cyber policies, insurers should also give consideration to whether the policy should exclude or limit cover for state-backed cyber-attacks if not otherwise addressed in the policy terms.

Potential issues with cyber war exclusion clauses

On 31 August 2022, Insurance Business published Article, Lloyd's cyber mandate poses big concerns for brokers  highlighting concerns over the development of cyber war exclusions. Clarity over coverage appeared to be the most significant concern, with the suggestion that, "there is the danger … that unless specific advice is given to clients on the cover that they're buying, that there may be differences of opinion as to how wide that cover actually is."  The potential for subjectivity in assessing offensive cyber operations, therefore, has become a real concern.  Differences of opinion over the veracity of attribution to a state, or over the time it takes for attribution to be determined, are fairly obvious areas of potential dispute. 

One broker in particular worked closely with a reinsurer to generate a distinct cyber war exclusion which, it suggested, took an alternative approach to attribution. In particular, the new clause made it clear that, "attribution of cyber operations to a sovereign state should not automatically trigger an exclusion of coverage." (See, Article, A cyber continuum: Cyber war exclusions — moving towards clarity (Marsh, 29 August 2022).

These two firms were not alone in their work towards new cyber war exclusion clauses, some of which take conceptually differing approaches to the LMA model clauses. Though Lloyd's has been at pains throughout the Bulletin to emphasise that the model clauses do comply with the requirements, it does not rule out other approaches. 

While it is natural that brokers have concerns over certainty of coverage, and advocate on the part of insureds generally, there is no escaping from the fact that attribution could create some difficulties. The reason for this is simply that it is not within the control of market stakeholders. It will largely remain within the bailiwick of state security apparatus and cyber security expertise. Even with access to commercial expertise in this area, decisions to disclose attributive statements will be political in nature.  That said, on any reading of the model clauses, the onus of determining whether a cyber-attack is state-sponsored, sits wholly with the insurer. In this regard, the insured need prove nothing. Some insurers have reversed the burden of proof on attribution but this does not appear to be a widely adopted approach.

Further issues may arise over defining the bounds of an armed conflict and ensuring that insureds and brokers have a full understanding of concepts such as what constitutes a "major detrimental impact" caused by a cyber operation. Again, the burden of proof will rest with the insurer, and in many jurisdictions, the application of an exclusion will be read narrowly. What is clear is that it will be in insurers' interests to ensure that such concepts are fully and robustly articulated throughout the underwriting process.

Authors