Cyber Insurance for Critical Infrastructure and Debate About War

For those concerned about cybersecurity and critical infrastructure, there is nothing more terrifying than the prospect of a successful cyber-attack on a dam or powerplant.  The after effects of such an attack could have potentially catastrophic consequences including, but not limited to, bodily injury (and loss of life), environmental damage (including the accidental release of chemicals), loss of business income (and contingent business income), loss of power and utilities (which could also reduce business income), and property damage.  

According to a 2018 Survey, 26% of respondents in the energy industry, 19% of those in the infrastructure industry, and 14% of those in power and utilities reported being victims of cyber-attacks in the preceding 12 months.[1]

While the top priority is cybersecurity and prevention of such incidents, the potential for such a catastrophe requires a risk management strategy that includes insurance coverage for the consequences of the worst-case scenario.

The cyber insurance coverage market, which had over 520 insurers in the U.S. alone in 2018, is robust and growing.[2]  While the resulting competition creates opportunities for policyholders, the absence of standard form language creates uncertainty in trying to ascertain the meaning of policy language.  

One area of insurance policy interpretation, which has received significant attention over the last two years, involves the interpretation of so-called “war” exclusions.  These exclusions, which can differ significantly in how they are worded, purport to limit coverage for losses arising out of war or warlike actions.[3]

In 2018, the issue sprang into the news, as a result of a litigation initiated by Mondelez International, Inc. against Zurich American Insurance Company.   The action arose out of losses suffered by Mondelez, responsible for iconic snack brands such as Nabisco and Oreo, as a result of NotPetya.  According to Mondelez’s complaint, Zurich denied Mondelez’s claim for insurance coverage based on the war exclusion in Zurich’s policy.  Zurich’s policy purported to exclude coverage for a “hostile or warlike action. . .”

In 2018, Merck & Co., Inc. and International Indemnity Ltd. (Merck’s captive insurer), filed a lawsuit against more than twenty insurers and reinsurers in connection with losses Merck suffered from NotPetya, several of which invoked a “war” exclusion.

Much has been written about the subject with some saying that policyholders should be very concerned about Zurich’s position while others have suggested that such fears are overblown as the Zurich policy at issue was not a pure cyber policy.[4]  Lloyd’s of London, mindful of the perception issue, released a Market Bulletin requiring all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.[5]

A somewhat recent decision regarding the war exclusion, albeit in another context, has allayed some of these concerns.  In July, the United States Court of Appeals for the Ninth Circuit reviewed a lower court decision regarding an insurance claim by two production companies who were forced to relocate the production of a television program from Jerusalem in the face of Hamas rocket attacks on Israel.[6] The insurance company had denied coverage on the grounds that the covered expenses were barred by virtue of the policy’s exclusions for “war” and “warlike action by a military force.”[7]  The Ninth Circuit rejected these arguments and held that “war” in the insurance context is limited to hostilities between sovereigns, and that while Hamas has control over Gaza, “Gaza is part of Palestine and not its own sovereign state” and that Hamas “never exercised actual control over all of Gaza.”[8]

Considering this opinion, it can be argued that the “war” exclusion does not apply to cyber-criminals or to cyber terrorism.  This is particularly helpful, considering that cyber terrorists and cyber-criminals increasingly target critical infrastructure.  With the rise of the Internet of Things (IoT) and linking critical infrastructure with numerous more devices, those networks connecting to IoT devices face increased risk if those other devices do not implement proper device and network security programs.  Accordingly, it is doubly important to ensure that policyholders have coverage for attacks on their systems, as well as other systems and devices to which their systems and devices may be connected. 

For the avoidance of doubt, however, policyholders should work with their insurance professionals, including counsel, to ensure that they have the broad cyber coverage and narrow limitations on that coverage.   This is particularly true in the context of “war” exclusions given the prevalence of cyber-crime and cyber-terrorism.

For critical infrastructure, knowing that the necessary resources will be there in the event of a catastrophe is an essential component of any risk management strategy.

 

This article was written by  Peter Halprin and Nicolas Pappas

___________

[1]Marsh & McLennan, MMC Cyber Handbook: Perspective on the Next Wave of Cyber, Pg. 6 (2018), (https://www.marsh.com/us/insights/research/mmc-cyber-handbook-2018.html; view full report to download pdf).

[2] Insurance Journal, “State of the Cyber Insurance Market – Top Trends, Insurers and Challenges: A.M. Best,” (June 18, 2019), available online at: https://www.insurancejournal.com/news/national/2019/06/18/529747.htm.

[3] IRMI, “War Exclusion,” available online at: https://www.irmi.com/term/insurance-definitions/war-exclusion.

[4] Gloria Gonzalez, “Cyberattack coverage dispute hinges on war exclusion argument,” Business Insurance (April 10, 2019), available online at: https://www.businessinsurance.com/article/20190410/NEWS06/912327806/Cyberattack-coverage-dispute-hinges-on-war-exclusion-argument; Judy Selby and Peter McLaughlin, “Is insurance coverage for cyber claims barred by a war exclusion?”  The Privacy Advisor (June 25, 2019), available online at: https://iapp.org/news/a/setting-the-record-straight-on-cyberinsurance-claim-denials-and-the-war-exclusion/; Kate Smith, “An Act of War?” Best’s Review (September 2019), available online at: http://news.ambest.com/articlecontent.aspx?refnum=288755&altsrc=123

[5] Lloyd’s, Market Bulletin, Ref. Y5258 (April 7, 2019).

[6] Universal Cable Productions, Inc., v. Atlantic Specialty Ins. Co., 929 F.3d 1143 (9th Cir. 2019).

[7] Id., 1147. 

[8] Id., 1148.