As cyber risks continue to grow and evolve, the cyber insurance market is increasingly likely to take steps to limit its risk profile, often in the form of new or broadened policy exclusions. Cyber insurers are continuously evaluating, amending, and restructuring their insurance products (including their capacity, and, importantly, their pricing) to reflect what they perceive to be growing risks and threats to the bottom line.
A perceived new risk: Merck v. Ace
In some cases, insurers perceive an evolving risk through a development in court decisions interpreting policy terms. The decision of a New Jersey Superior Court earlier this year in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18, appears to exemplify this type of situation. There, the court determined that a “hostile or warlike action” exclusion did not preclude coverage for losses caused by a “NotPetya” ransomware attack, despite insurance company arguments that the malware used in the NotPetya attack was an instrument of the Russian government “as part of its ongoing hostilities with Ukraine.” The court reasoned that “hostile or warlike action” required “actual hostilities” and that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.”
Although Merck involved a first-party property insurance policy, its holding elicited a significant reaction from the cyber insurance market because it involved a coverage dispute related to a cyberattack. With the warning provided by Merck that courts may not be inclined to interpret traditional war exclusions as precluding coverage for state-backed cyberattacks, some insurers appear to be reevaluating their existing war exclusions and amending their policy forms to respond to Merck.
Lloyd’s of London mandate for state-backed cyberattack exclusions
Indeed, Lloyd’s of London recently announced that it was taking an affirmative step to limit its exposure by precluding coverage entirely for such cyber events. On August 16, 2022, Lloyd’s issued a Market Bulletin mandating that its company insurers incorporate exclusions for cyberattacks involving state actors on a go-forward basis. Insurers selling through the Lloyd’s platform will be required to include these exclusions beginning March 2023. Although the Merck decision is not mentioned by name, the timing and substance of the bulletin is telling.
Notably, the proposed Lloyd’s exclusions are more restrictive—and seemingly tailored—than other extant war exclusions, including the exclusion at issue in Merck. The four model exclusions Lloyd’s sanctioned by the August 2022 Market Bulletin purport to exclude coverage for, as an example, loss “occasioned by happening through or in consequence of . . . cyber operation,” defined as “the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.” The four model exclusions also provide: “The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.” Further, Lloyd’s seems to go so far as to attempt to preclude coverage if a cyber-attack victim’s government merely accuses another country of perpetrating the attack, explaining that even if the victim’s government does not point any fingers, the model exclusion enables the “insurer to prove attribution by reference to such other evidence as is available.”
Because a meaningful share of cyberattacks involve some potential for state sanction or sponsorship—albeit often tangential or merely possible—these exclusions and ones like them may have a drastic impact on coverage for cyberattack victims.
Considerations going forward
In light of this potential cyber insurance market trend, businesses should be especially vigilant and determine whether any policy they are considering purchasing contains a broad state-backed cyberattack exclusion. Further, other insurers are likely to develop and impose similar exclusions, so insureds must be particularly diligent in reviewing all proposed policy forms. At a minimum, businesses should be sure to have targeted discussions with trusted brokers about whether broad exclusions can be negotiated or removed.
All that said, it is worth emphasizing that insurers seeking to enforce these—or any—exclusions face their share of legal and factual hurdles. Under the law of most states, insurers bear the burden of establishing the applicability of exclusions, which must be construed narrowly. Because cyber attackers often go to extreme lengths to conceal their identities and other fundamental details of the attack, insurers still may have an uphill battle satisfying their burden of demonstrating that a state-backed cyberattack exclusion applies.
If you have any questions about your company’s cyber insurance coverage, including proposed or existing exclusions, or the content of this article more generally, please contact one of the authors or a member of Reed Smith’s Insurance Recovery Group.