War used to be an obvious, physical act, with or without a prior formal declaration, between state-sanctioned and supported actors, whose role was clear, even if they were sometimes mercenaries.
Russia’s annexation of Crimea in 2014 was an inkling that perhaps the usual binary identification (war/not war) no longer held. Ex post facto, it was clearly an aggressive and hostile act committed by one sovereign state against another, but the manner in which it was conducted allowed, for a time at least, the blurring of perceptions to the advantage of the aggressor.
In the realm of cyber insurance coverage, such issues are also becoming increasingly problematic, as cases involving Mondelez and Merck now make evident. In 2017, both companies, amongst many others, fell victim to the so-called NotPetya cyberattack. Ironically, the code used actually incorporated a stolen US National Security Agency (NSA) “cyberweapon”.
Not surprisingly, both companies, having suffered extensive economic damage, running to hundreds of millions of dollars, made claims for reimbursement under insurance policies which they believed would respond to what happened. To their shock, their insurance carriers (Zurich, in the case of Mondelez) rejected their claims, invoking a little-used “war exclusion” clause, which would absolve them from paying a claim which was deemed to have arisen from an act of war. In response, both companies have sued their insurers; and, given the importance of the cases, the resulting litigation is likely to be both closely watched and protracted.
As we have written before, cyber covers are one of the few supposed bright spots for the product lines of traditional CAT (re)insurers, as growth in demand continues- with global premia estimated to almost quadruple from 2017’s USD 4.5BN to USD 17.5BN in 2023. This is a product line in which any major insurer will have an interest, yet the nature of and triggers for coverage remain a work in progress.
The key problem in most such cases is identifying with any appropriate level of proof exactly who, or which entity is responsible for a particular event. In the case of state, or state-affiliated or -directed actors, while that may be known, reasons of state may dictate that proof is not available or made public. The NotPetya event was actually publicly stated by the US government to have been conducted by a state actor- Russia. However, characterization as an “act of war” is problematic, as the impact was widespread and not confined to US entities, even though the Ukraine was considered to be the intended target.
From the point of view of a (re) insurer this raises the issues of how to define and limit the extent of the coverage to what the (re)insured intended (and what the Insured expected), as well as determining whether those impacted were the intended target(s), or simply collateral damage. The inter-connectedness of the world makes how far that damage can spread increasingly hard to determine. Given the potential potency of the “act of war” exclusion, one can also foresee the risk of “moral hazard” in terms of who might, and might have the incentive, to state that a particular cyberattack was an act of war, and where the burden of proof should lie.
At Awbury, a key focus of our business model is ensuring that the terms and “triggers” of any coverage we write are unambiguous and clearly defined. We do not wish to find ourselves in the position of having to debate with an Insured whether or not a claim exists. Ambiguity, or the raising of an unforeseen defence, serves no-one’s interests. And, for the record, we do not write cyber covers, although we keep a close eye on cyber risks as the may relate to any of our credit-based coverages.
The Awbury Team