State sponsored cyber-attacks and insurance: application of the war exclusion
Recent events in the Middle East have brought the concept of a cyber war back into the foreground. This will be causing both companies and their insurers to reconsider the implications of their cyber war exclusions, particularly following the requirements imposed by Lloyd's through bulletin Y5381 in August 2022. In this note, we have considered the implications for insurers and set out some of the coverage issues that may arise.
Increased cyber activity
A surge in hacktivist activity has been detected against organisations in several states. Strikes on data centres also resulting in outages have also highlighted the vulnerability of technology infrastructure that supports the websites and platforms of the world's largest companies. Organisations operating critical supply chains are seeing rising attacks, causing global disruption to energy, fuel, manufacturing and shipping, as hackers target systems via phishing emails which lure employees into bypassing security protocols. The hacker will then employ 'wiper' malware, designed to destroy data rather than merely encrypting it for ransom.
Against this backdrop, it seems likely that state-sponsored attackers will continue to target organisations and cyber risk will increase.
The war exclusion
Over the past four years, the war exclusion and its application to state-sponsored cyber-attacks has already been in focus. Following the Russian invasion of Ukraine in February 2022, Lloyd's announced that as of March 2023 all standalone cyber polices must include a suitable clause excluding liability for losses for arising from any state-backed cyber-attack. Lloyd's bulletin Y5381 then defined Lloyd's requirements for war exclusions, and Lloyd's updated its war exclusions. Since then the market has seen the introduction and adoption of many different versions of the amended war exclusion. At a minimum, the state backed cyber-attack exclusion must:
exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion;
(subject to 3) exclude losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state;
be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlines in 2(a) & (b) above, by the state backed cyber-attack; and
set out a robust basis by which the parties agree on how any state backed cyber-attack will be attributed to one or more states.
Cyber war exclusions outside of the Lloyd's market remain, in many instances, identical or close to the NMA464 wording used since before WW2.
Given the work undertaken to draft and agree new versions of the war exclusion, the application of war exclusions to alleged state-sponsored cyber-attacks has been discussed at length within the Lloyd's market. This remains a key area of focus for insureds and insurers in 2026 given the swell in cyber activity referred to above. We would draw attention to the following points:
Significant impairment
Bulletin Y5381 stipulates that the state-backed cyber-attacks must significantly impair either the ability of the target state to function or the security capabilities of that state. This would seem to apply to attacks on infrastructure and international payment systems, for example, but there is uncertainty around what would otherwise qualify as significant impairment. Attacks on certain types of business could result in significant inconvenience for a country, but preventing that country from functioning is a high threshold. With respect to impairment of security capabilities, given the emphasis on business resilience and contingency planning, if the security of the state can be reestablished in short order is it the case that the exclusion would no longer apply? How long does the impairment have to last for the exclusion to be triggered? These issues have yet to be tested.
Attribution
In light of the Lloyd's requirement for any exclusion to set out a robust basis by which the parties agree on how to attribute any state backed cyber-attack to one or more states, attribution will be a crucial question, in an environment where the precise origin of attacks can be mysterious. Furthermore, confirming that any specific group is state-sponsored can be difficult. Versions of the war exclusion manage this issue in various ways (with the onus of determining whether a cyber-attack is state sponsored usually resting on the insurers). In circumstances where a particular group (such as Handala) is vocal in its allegiance to a state, this is a useful indicator of attribution. It may be easier to establish state sponsorship where the organisation is state backed, rather than having to focus specifically on the discrete attack.
But none of this establishes for certain that the attack is, in fact, state sponsored. The determination of attribution can take time (and query whether it must be a government that attributes the attack to a state). In a cyber context, claims are likely to be systemic and losses can build up quickly, creating a polarity between insureds who need a determination urgently and insurers who require time to understand the precise nature of the attack in question. In these circumstances, insurers may decide to advance breach response costs and deploy their breach experts, but with a full reservation of rights as to coverage pending further investigation.
The points above serve to highlight the difficulties arising from the cyber war exclusion wording and the inevitable complications arising where insurers seek to exclude a claim on this basis.
Revisiting Merck
In Merck Co. Inc. et al. v. ACE American Insurance Co., the New Jersey Superior Court rejected attempts by insurers to rely on a war exclusion in a property policy to exclude from cover Merck's losses arising from the NotPetya cyber-attack. Merck is a US pharmaceutical company which fell victim to the NotPetya attack in 2017, resulting in a claim for $1.4bn of damages. From an attribution perspective, in 2018 the CIA, and subsequently the UK, claimed that Russia was responsible for the attack. Russia denied involvement (referring to the fact that Russian systems were also impacted).
Merck claimed under its global all-risks property insurance policy which covered it for losses resulting from the destruction or corruption of computer data software. The policy did not have a cyber exclusion but it did contain a war and hostile acts exclusion which excluded "Loss or damage caused from hostile or warlike action in a time of peace or war".
The court found that the cyber-attack did not qualify as a "hostile" or "warlike" action as contemplated by the policy wording. Insurers eventually settled the coverage dispute, but the case provides a useful example of coverage issues arising in relation to a malware which affected multiple companies across the world (whether those companies were intended victims or not). It highlighted the complications around the application of the war exclusion, and insurers' attempts both to attribute an incident to a state and establish that the attack resulted from a war.
An English court might well reach a different conclusion on the same analysis. In Merck, the New Jersey court was at pains to emphasise that (a) the policy fell to be construed from the perspective of the reasonable insured; and (b) Merck "had every right" to anticipate that the exclusion applied only to traditional forms of warfare. English law would also construe the Policy from the perspective of the reasonable Insured (see for example the FCA Test Case), but the market has been through a round of reviewing wordings to ensure that they appropriately cater for a cyber risk profile that could not have been contemplated when some traditional war risks wordings were drafted.
All of this highlights the fact that each exclusion will need to be considered on its own terms, within the context of the remaining policy conditions and the admissible factual background.
Silent cyber
After 2019, when the PRA instructed insurers to "have action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover", Lloyd's initiated a phased process by which all classes of business would need to clarify whether they were covering losses caused by a cyber event (by either excluding cyber losses or affirmatively covering them). However, the deadlines set and the rush to comply has led to confusion and a lack of consistency in the approach taken in the market. There is uncertainty around coverage for cyber-related exposures as a result, in combination with a discretion in the company market whereby insurers can choose to remain silent as to whether a cyber loss would be covered or not. Where there is no cyber exclusion, there remains a risk of silent cyber (i.e. the possibility that cyber will be covered irrespective of whether this was intended by the insurers when they drafted the policy).
The risk of a cyber exposure is not insignificant given the geopolitical situation and our ever increasing dependence on connected technology. A Scattered Spider attack could, for example, manifest in significant property damage; in such a situation, is the loss to be picked up by a property policy? Such policies often exclude physical damage from a cyber incident, but absent the exclusion this is less clear. Is the wording silent on cyber such that those losses could fall to property insurers regardless of the fact that the cause is not a traditional property peril? Will a standalone cyber policy also provide protection? Despite the efforts of Lloyd's to ensure that carriers consider these issues and ensure that their policy wordings are clear on the coverage provided, uncertainties continue and disputes remain likely.
Double insurance
There is also a risk of double insurance in circumstances where the insured has two policies, one of which is either silent on the subject of cyber or affirmatively provides coverage for cyber-related losses, and a standalone cyber policy. Such situations (and the use of "Other Insurance" clauses) can create disputes over how liability for cyber-related losses is to be shared between insurers (or the priority of the policies over one another).
The English court considered these issues in Watford Community Housing Trust v Arthur J. Gallagher Insurance Brokers Ltd, which we summarised in our article here. That case concerned a cyber loss in which three policies were potentially triggered, albeit that there were late notification defences on two of them. Each policy contained an "other insurance" clause which stated that the policy would apply excess of any other applicable policy. These were treated as cancelling each other out. The court concluded, amongst other things, that the insured could decide which policy to collect from, with the insurers then having contribution rights against one another, subject to any legitimate coverage defences which each insurer could raise in response.
The risk of double insurance (and consequent claims for contribution which will likely result) should remain an area of focus for insurers against the backdrop of increasing state sponsored cyber-attacks. It means, amongst other things, that a claimant's decision not to pursue a claim under a policy will not necessarily preclude other insurers who indemnify that claimant from seeking a contribution. This seems to us to be a particular risk in relation to cyber losses.
Conclusions
It seems likely that, as the conflict in the Middle East continues, attacks from cyber groups on companies associated with Iran's enemies will increase, and alongside it so will the focus on policy cover and the war exclusion. Businesses will be keen to assess the level of risk and the scope of any insurance cover, and insurers will doubtless be reviewing wordings to understand their exposure. Assessing the scope of cover and the application of the war exclusion in the context of particular claims will obviously be highly fact-dependent and subject to the specific wording. Whilst it is widely accepted and understood that the purpose of cyber policies is not to cover losses arising from war, the application of the war exclusion remains complex despite recent efforts to create a clause which reflects modern warfare. As always, insureds are looking for certainty from their insurance coverage. However, the cyber threat landscape is constantly changing, and it can be very hard for insurers to establish the origins of an attack and demonstrate attribution to a nation state in circumstances where an attack would, on the face of it, appear to be war-related.
We can expect to see future coverage disputes given that the cyber wordings (and in particular exclusions) are, to date, largely untested. We also expect to see contribution claims as the boundaries of different, non-cyber, policies are scrutinised.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
