The Insurance War Exclusion
How does it work? What About Cyber?
The War exclusion has been on insurance policies since as far back as the 1700s.
But with nation- to- nation cyber-attacks, it has floated to the top as an issue for Cyber insurance coverage.
Should we worry?
The traditional War exclusion has language to this effect:
The INSURER will not pay for loss or damage caused directly or indirectly by any of the following. Such loss or damage is excluded regardless of any other cause or event that contributes concurrently or in any sequence to the loss.
War and Military Action.
1.War including undeclared or civil war;
2. warlike action by a military force, including action in hindering or defending against an actual or expected attack by any government, or other authority using military personnel or other agents; or
3. insurrection, rebellion ,revolution, usurped power or action taken by governmental authority in hindering or defending against any of these.
The Merk case involving NotPetya
The insurance industry determined early that war was not one of the fortuitous losses they wanted to protect against—it is potentially too massive and falls outside the realm of pure insurable business risk. But it gets a bit complicated when the war exclusion is applied to a cyber incident.
In one case involving coverage for a cyber incident (Merk and International Indemnity v. ACE – NJ Superior Court) the court decided in favor of the insured on the basis that:
“Insurers did nothing to change the language of the exemption to reasonably put the insured on notice that it intended to exclude cyber-attacks.”
The court in this case decided that the exclusion violated the reasonable expectations of the typical insured. The case involved the NotPetya attack which has been attributed to the Russian government.
See Cyber Warfare – Battles in the Courts
In addition to the ambiguity of the exclusion’s intent, it is usually hard to pinpoint where an attack originated from unless a nation-state takes responsibility for it.
Up till now we’ve managed the existence of War exclusions on Cyber policies this way:
- Rely on the ambiguity of the exclusion with respect to Cyber claims – (is a cyber -attack war?) , and
- Obtain an exception to the War exclusion for cyber-terrorism (which exception has been available in the market).
The insurance industry adapts
The industry usually adapts when adverse rulings come down, and they are doing so now with the War exclusion.
Lloyd’s of London has just introduced a “War, Cyber War and Cyber Operation” exclusion which broadens out the exclusion to remove coverage for “Cyber War” and “Cyber Operation” in addition to “War.”
“Cyber War” is not defined in the exclusion, but “Cyber Operation” is defined as:
“the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.”
What this does is clearly deny coverage for state actions whether typically defined war or not, and whether against another state or even just a computer system in another state. So, if this language had been in effect Merk would not have had the good result it obtained in court.
Thrust and Parry
The insured’s next move
The insureds win in court and the insurers react with new, broader exclusions. What’s the insured’s next move?
In Cyber especially, but valid in all lines of insurance, there is no true standardization of coverage, and there are many insurers offering the product.
We need a defense to the appearance of increasingly harsh exclusions.
The first step is awareness. In the insurance purchase, the broker/insurer count on your accepting the offer based on the 3-5- page summary. Treat the insurance purchase as you would any other contract negotiation:
- get the full language as part of your proposal,
- read it, understand it, and accept it, or
- negotiate the problem out of it, or
- move on to the next proposal
Get more detail on the coverage negotiation process
Have a risk manager on your side
The largest companies have entire risk management departments reporting to the CFO. You need risk management too.
(c ) Licata Risk & Insurance Advisors, Inc. 2022
Frank Licata
mailto:[email protected]; 617.718.5901
Mar 28, 2022