Recently, we shared a blog article discussing cyberinsurance. However, in the weeks since, we have seen an increasing number of media pieces concerning insurance war exclusions and how these may be applied to cyberinsurance. With Russia’s history of cyberwarfare and current quagmire in Ukraine, the possibility of a wider attack in the digital world is quite possible—at the very least something to be ready for. Indeed, our government has been reaching out to organizations to encourage responsible preparedness and business continuity planning.
Please note: We are not attorneys nor experts in insurance. Please contact the appropriate professionals prior to making important decisions regarding your business or organization’s insurance.
Generally speaking, an insurance policy will maintain an exclusion regarding damages caused during warfare. These kinds of events are rare and all-but-impossible to predict, and thus insurance policies have difficulty reconciling the cost of maintaining insurance for such unpredictable events. While each insurance company and policy can be different, each policy should define exactly what war consists of. Often the definition will be something akin to “physical confrontation between state actors or agents acting on a state’s behalf, whether or not war has been formally declared”. Yet, cyberwarfare doesn’t fit cleanly into this definition which leaves a legal “hole” in the policy’s exclusions and definitions.
Recently, Lloyd’s updated their definitions and limitations on cyber warfare. (Note: This is provided as an example. As a reminder, it is important to familiarize yourself with the policies affecting your business or organization and not assume other policies will reflect yours.) The Lloyd’s documents as linked outline and specify several answers where cyberwarfare creates questions. Clarifications include definitions of war, computer systems, states, cyber operations, and how/to whom responsibility of the actions are assigned.
There are interesting legal arguments at play here, too. In Merck v. Ace American Insurance, the court is attempting to square the circle of wartime exclusions for cyberinsurance as it relates to the NotPetya attack of 2017. This case remains in litigation as of this writing.
Beth Burgin Waller of Woods Rogers PLC outlines four steps for navigating the aftermath of a cyberattack (and the ensuing insurance claims):
- Do not speculate! Report facts of what happened, but do not assume or disclose unknowns that may or may not be accurate.
- Get your own independent experts, especially in the event your insurance company denies coverage due to wartime damages. Certified CIO can help you find these types of security experts!
- Do not make assumptions regarding your cyber-warfare policy exclusions. Errors or misunderstandings can happen during casual conversation. Find or seek out documents that define what the exclusions will and will not cover.
- Be prepared! Have a solid game plan for if and when a cyberattack—whether resulting from an international incident or not—occurs. At Certified CIO, our team of security experts can assist you with your business continuity planning!
As always, if your small or medium-sized business or organization needs some help navigating the IT world, GET IN TOUCH!