Insurers who write cyber policies with exceptions for acts of war will find that provision almost impossible to defend in courts, according to legal experts.
Standard insurance practice prohibits underwriting for losses from shooting wars between nations, and policies are generally written to reflect that. It was that clause to which a Zurich Insurance Group AG unit turned to reject a claim from food manufacturer Mondelez International Inc. for losses from the 2017 NotPetya malware attack, which the U.S. and several other governments said originated from a Russian digital attack against Ukraine.
Zurich and Mondelez are embroiled in a legal dispute over the insurer's use of the clause, which it triggered when Mondelez attempted to claim for NotPetya losses under a property policy. But where cyberinsurance comes into play, relying on a war exclusion is likely to be almost impossible to defend in court, legal experts said during a May 16 panel discussion at the Cyber Risk Insights Conference in Chicago.
One reason is that even the best IT talent can rarely pinpoint, digitally, the perpetrator of a cyber attack, said Richard Goldberg, a partner with the law firm Lewis Brisbois Bisgaard & Smith LLP. An accusation from the U.S. and other governments would not be admissible as evidence in court, said Goldberg, who is also a former cyber crimes federal prosecutor.
If a country like Russia or North Korea is blamed for a cyber attack, their governments tend to deny it reflexively. Further, law enforcement investigations on which courts rely for permissible trial evidence rarely cooperate across national borders, Goldberg said. And of course, companies accused of launching attacks do not cooperate at all, he added.
A further legal complication is the fact that government security and spy agencies that do gain definitive evidence for the source of an attack are loathe to turn it over because doing so might reveal sensitive operations. Classified intelligence is beyond the reach of civil suits, Goldberg said.
And even if a victimized company did accurately determine the source of an attack, an accused party could claim that it was spoofed, said Andrew Lea, head of cyber and media liability for CNA Financial Corp. Spoofing is a cyber ruse in which a hacker impersonates another user or network.
"To get to 100% [legal] attribution is tough," Lea said.
Mondelez's $100 million lawsuit against Zurich American Insurance Co. has prompted anxious discussions among cyber liability insurers, brokers and customers about the war exclusion, panelists said. They noted that writers of stand-alone cyber insurance have been paying claims from the NotPetya attack, which is blamed for at least $3 billion of insured losses.
The topic of cyberinsurance and war exclusion has come up on nearly every account call recently, Lea said. NAS Insurance Services LLC, a managing general agent owned by HCC Insurance Holdings Inc., has fielded a steady flow of questions on the topic, said claims manager Tamara Ashjian.
NAS Insurance's war exclusion applies to shooting, or kinetic, warfare, Ashjian said, adding: "Our definition of kinetic warfare is clear enough to let them know that there's a big difference between ... cyber coverage and that exclusion."
Even though the war exclusion is difficult to defend in court, insurers still need it, said Vincent Vitkowsky, a partner with the law firm Seiger Gfeller Laurie LLP. Companies must guard against paying for losses that could come from the sophistication and resources of a government-run attack. And without the exclusion, reinsurance becomes much harder to buy, Vitkowsky said.
Insurers need to update their policy forms to include digital forms of attacks, Vitkowsky said.
"We shouldn't be using a form that was largely developed after World War II for this; it doesn't fit," Vitkowsky said.