Cyber insurance claims

Preventing icon - shield icon

Read time: 4 minutes

In 2023, we continue to monitor the development and potential application of “war exclusions” in cyber liability insurance and other policies. War exclusions have existed in certain types of insurance policies for decades and have been litigated in the property and casualty insurance context since the 1970s. More recently, war exclusions have appeared in cyber liability policies and other forms of coverage. The exclusion was intended to exclude damage arising from traditional warlike acts between sovereign and/or quasi-sovereign entities. When evaluating whether a war exclusion applies, U.S. courts have traditionally looked to two factors: (1) whether a formal declaration of war exists, and (2) whether the circumstances meet the commonly used definition/interpretation of “war.” See, for example, Pan American World Airways, Inc. v. Aetna Casualty & Surety Company, 505 F.2d 989 (2nd Cir. 1974) (“[W]ar is waged by states or state-like entities and includes only hostilities carried on by entities that constitute governments, at least de facto in character”).

Authors: Stephanie E. Gee

Although the traditional “boots on the ground” version of warfare certainly still happens, cyber warfare may be a component of modern national conflicts. But does this mean that what constitutes an “act of war” or a “warlike act” is now broader than the traditional forms of war in mind when war exclusions were first developed? There was a 38% increase in global cyberattacks in 2022 compared to 2021. Many threat actors carrying out these attacks are alleged or suspected to be associated with (or part of) nation-states and governments. Thus, in the cyber liability insurance context, the difficulty becomes whether war exclusions will foreclose coverage for acts of “cyber warfare.”

The potential application of a war exclusion for cyberattacks that may constitute acts of cyber warfare was recently addressed in Merck & Co. v. Ace American Insurance Co., Case No. UNN-L-2682-18, 2021 N.J. Super. Unpub. LEXIS 4566 (N.J. Sup. Ct. Dec. 6, 2021). Although this case involves an “all-risk” property insurance policy, it may provide further guidance on how a war exclusion may – or may not – apply in the cyber liability insurance context. At issue in Merck is whether a war exclusion in Merck’s all-risk property insurance program, which provides coverage for business income loss (among other things), precludes coverage for approximately $1.4 billion in damages that Merck suffered after falling victim to the NotPetya ransomware attack in spring 2017. Specifically, Merck’s insurers argued that the war exclusion applied because, they asserted, the NotPetya malware was deployed by Russia to disrupt and destabilize Ukraine. The New Jersey Superior Court sided with Merck, holding that the language of the exclusion did not reach cyberattacks such as NotPetya and that the insurers “did nothing to change the language of the [exclusion] to reasonably put this insured on notice that it intended to exclude cyberattacks.” The New Jersey Appellate Division affirmed. See Merck & Co. v. Ace Am. Ins. Co., No. A-1879-21, 2023 N.J. Super. LEXIS 43 (N.J. Super. Ct. App. Div. May 1, 2023). The Appellate Division agreed with the Superior Court “that the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’” As the risk of cyberattacks continues to increase, certain insurers have revised their war exclusions in an attempt to restrict or preclude coverage for cyberattacks committed by or on behalf of sovereign and/or quasi-sovereign entities. For instance, in August 2022, Lloyd’s announced that as of March 2023, insurers selling through the Lloyd’s platform are required to include exclusions for cyberattacks involving state actors in their cyber liability and certain other policies. The Lloyd’s language seeks to remove the requirement that a formal declaration of war is necessary to apply the exclusion. The Lloyd’s language has not, however, been consistently rolled out to policyholders.

Although we have yet to see how these newly crafted exclusions will apply in real-world claims, these potential new, more restrictive forms of the war exclusion may pose practical problems for policyholders. For example, questions of attribution to sovereign entities are, in many cases, inconclusive, such that coverage may be uncertain. A nation-state’s willingness to declare an event “war” may be subject to political or diplomatic concerns. Additionally, to the extent that more favorable terms and conditions are negotiable, companies may continue to see historically high costs for purchasing adequate cyber liability coverage.

Key takeaways
  • Companies should closely monitor whether newly crafted “war exclusions” restrict coverage for cyberattacks.
  • Companies should seek to fully understand the scope of their cyber risks and work with an experienced broker to convey that information to underwriters during the placement or renewal process.