Understanding Cyber Insurance War Exclusion Coverage

Cyber insurance war exclusion coverage is a crucial aspect of protecting your business from cyber threats. A war exclusion clause is typically included in standard cyber insurance policies.

This clause excludes coverage for losses or damages resulting from war, including acts of terrorism, civil unrest, and military action. Cyber insurance policies often adopt the standard ISO (Insurance Services Office) war exclusion clause.

The ISO war exclusion clause specifically excludes coverage for losses or damages resulting from war, including acts of terrorism, civil unrest, and military action.

Explore further: California Insurance Bad Faith Punitive Damages

Cyber insurance war exclusion is a crucial aspect of understanding cyber insurance. Cyber insurance policies often come with exclusions, including acts of war exclusion, which can be a surprise to business owners.

These exclusions can leave businesses without the help of their cyber insurance in the event of a cyber attack. For example, a cyber attack that falls under a war or terrorism exclusion may not be covered by the policy.

Consider reading: Gold Prices during War

Business owners need to be aware of these exclusions and understand how they may apply to a cyber event. This is especially important for insurance brokers who advise clients on cyber insurance policies.

A recent update from Lloyd's requires all standalone cyber-attack policies to include a state-backed cyber-attack exclusion. This exclusion must be endorsed on all such policies from 31 March 2023 onwards.

Insurance brokers need to review the war and/or terrorism exclusions with their clients before advising them on a cyber insurance policy. This is an important step in advising clients and protecting their own E&O.

The LMA has developed model clauses for cyber war exclusions, including LMA5564A and LMA5564B, which meet the requirements of the Lloyd's bulletin. However, these clauses may not be clear in their application, leading to potential disputes over attribution and coverage.

Businesses should be cautious when purchasing cyber insurance and ensure they understand the exclusions and limitations of their policy. This includes reviewing the policy terms and conditions and asking questions about any exclusions or limitations.

Here are some key points to consider when reviewing cyber insurance policies:

By understanding cyber insurance exclusions, business owners can make informed decisions about their cyber insurance policies and avoid potential pitfalls.

Cyber insurance policies can protect businesses from cyber attacks, but the language used in the policy is crucial. Specifically, look for language that separates cyber terrorism from cyber war.

Many policies will cover acts that fall under cyber terrorism while excluding those that fall under cyber war. This distinction is important, as it can leave businesses without coverage in the event of a cyber war.

Businesses that already have cyber insurance but want to protect themselves even in the event of a cyber war can purchase a separate insurance policy. However, they will have to pay a rising premium as cyber risk becomes more and more real for businesses across the board.

Insurance brokers need to review the war and terrorism exclusions with their clients so they understand how this may apply to a cyber event. This is crucial, as clients may be left without the help of the cyber insurance they thought they had.

Most standalone cyber policies will include language that excludes coverage from an act of War and Terrorism, but most good standalone cyber policies will have a carveback for these events, specifically “Cyber Terrorism”.

Discover more: Can an Insurance Company Close a Claim without My Consent

The LMA model clauses for cyber war exclusion have undergone significant changes. The original four model clauses, LMA5564, LMA5565, LMA5566, and LMA5567, were designed to exclude state-led cyber operations.

These clauses offered varying levels of coverage, but they all required proper attribution to a state for the exclusion to apply. The LMA later re-drafted these clauses to meet the new requirements of Lloyd's Market Bulletin Y5381.

The updated clauses, LMA5564A and LMA5564B, LMA5565A and LMA5565B, LMA5566A and LMA5566B, and LMA5567A and LMA5567B, reflect these changes. The A variants of these clauses meet the requirements of the Bulletin, including attribution.

However, the B variants omit the clause dealing with attribution, allowing managing agencies at Lloyd's to apply an alternative attributive methodology or seek an exemption from Lloyd's.

State-sponsored cyber attacks can be a challenge to cover, especially when it comes to insurance. These types of attacks often fall under the category of war and terrorism exclusions.

The Bulletin refers to state-backed cyber-attacks, but many have sought a more concrete application of the exclusion solely in the context of war. Firm notions of state-on-state war are far less clear cut than they once were, with grey zone activity becoming ever more prevalent.

Cyber operations are a significant weapon in the armoury of states looking to achieve a coercive, but deniable, effect. Insureds want certainty over state-sponsored cyber-attacks, and the market has not yet reached an end point in this debate.

In order for a cyber war exclusion to apply, the damage caused would have to be of an overwhelming severity and incorporate systemic losses extending far more broadly than individual organisations or enterprises. This means that some state-sponsored cyber-attacks may not be covered under a cyber war exclusion.

The NotPetya attack is a good example of this, where some cyber war exclusions would not have applied and cover would have been given.

A different take: Cyber Insurance Does Not Cover

Insurance issues and comparison can be complex, but it's essential to understand the differences between traditional and cyber war exclusions. Cyber insurers have confirmed that they don't consider any attack to date, including NotPetya, would trigger the exclusion.

The new cyber war exclusion clauses provide a framework for cyber's unique risk profile, offering clients more certainty around the parameters of cover. One key addition is a carveback for collateral damage that reinstates cover if assets in countries not targeted directly are affected.

Traditional war exclusions lack the level of clarity and scope of cover found in the new cyber war exclusion clauses. Cyber war exclusions clarify that war is 'armed conflict involving physical force' and introduce an impact threshold that only triggers the exclusion when a country's ability to function is jeopardized.

Insurers are strongly discouraged from writing "silent cyber" risks, or non-affirmative cover, in other insurance policies.

This means that if an insurer does accept a transfer of cyber risks, it should be explicit, with appropriate limits and definitions of key terms.

In a Lloyd's context, writing war risks is constrained, and such risks cannot be written without the prior agreement of Lloyd's.

Limited circumstances allow for this exception.

Insurers should also consider whether the policy should exclude or limit cover for state-backed cyber-attacks if not otherwise addressed in the policy terms.

This is particularly relevant in policies that are not stand-alone cyber policies.

Suggestion: Cyber Insurance Not Paying Out

Insurance Issues can be complex, but one thing's for sure: cyber war exclusions are a major concern.

Brokers need to review war and terrorism exclusions with clients to ensure they understand how coverage may apply in the event of a cyber attack. This is crucial to avoid E&O claims.

Most standalone cyber policies include language that excludes coverage from acts of war and terrorism, but some have carvebacks for cyber terrorism. These carvebacks provide coverage as long as the acts weren't carried out directly by a government or at its express direction.

It's challenging to prove if a government is behind a specific attack, as it's often carried out by third parties. Governments will likely deny any involvement, making it hard to determine attribution.

Brokers should disclose cyber war and terrorism exclusions to clients to protect themselves from E&O claims. Recommending a subpar policy with exclusions without carvebacks can lead to costly mistakes.

Silent cyber risks, or non-affirmative cover, are strongly discouraged by Lloyd's and the Prudential Regulation Authority. Insurers should explicitly include or exclude cyber coverage in policies, with clear limits and definitions.

Cyber war exclusion clauses can be subjective, leading to differences of opinion over attribution to a state. This can create disputes and difficulties in assessing coverage.

Some insurers have taken alternative approaches to attribution, making it clear that attribution to a sovereign state shouldn't automatically trigger an exclusion. This approach may provide more clarity for insureds and brokers.

The traditional war exclusions don't quite cut it when it comes to cyber insurance. They lack the clarity and scope of cover that new cyber exclusions provide.

One key difference is the carveback for point #3, which reinstates cover for collateral damage in countries not directly targeted. This level of clarity is a game-changer.

In traditional exclusions, war is often defined vaguely, whereas new cyber exclusions clarify it as 'armed conflict involving physical force'. This added definition provides more certainty.

The 'major detrimental impact' clause in new cyber exclusions sets a high bar for triggering the exclusion. An attack on a few banks or energy suppliers wouldn't be enough to trigger it unless it disrupts the country's services as a whole.

Cyber insurers have confirmed that no attack to date, including NotPetya, would meet this threshold. This suggests that new cyber exclusions are more nuanced and effective.

Cyber insurance war exclusion clauses have several key terms and features that are worth understanding.

A threshold of harm is often set out in these clauses, which must be met or exceeded for the exclusion to apply. This threshold can be described as a "major detrimental impact" to the functioning of the state.

In some cases, a "widespread event" is defined to articulate the level of systemic damage required for the exclusion to be invoked.

To apply, a cyber operation must be robustly attributed to a specific state, rather than a private individual or group. This can be a difficult area to navigate.

Cyber war exclusions also seek to avoid cover for cyber operations deployed by parties to an armed conflict.