In the wake of recent tensions between the United States and Iran following the death of Qassem Soleimani, cybersecurity experts have suggested that Iranian cyber actions could reach the United States.1 Although the two countries appear to be on a path of de-escalation, it is important for businesses to plan, prepare, and evaluate their insurance coverage for potential related cyber losses.
On January 4, 2020, a group calling itself “Iran Cyber Security Group Hackers” defaced the website of the Federal Depository Library Program and posted a message and photograph of President Trump getting punched in the face by a fist representing Iran.2 The group, in addition to posting their message, stated that “[t]his is only a small part of Iran’s cyber ability!”3
Also on January 4, 2020, the Department of Homeland Security issued a bulletin that warned of Iran’s capability to conduct “cyber enabled attacks against a wide range of U.S.based targets.” DHS noted that:
Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.4
The same day, the New York Department of Financial Services issued an alert to regulated entities regarding a heightened risk from “hackers affiliated with the Iranian Government.”5
In times such as these, it is imperative to consider whether your business has appropriate coverage for such risks. An issue prompted by the recent tensions is how a cyber incident related to U.S.-Iran tensions might be treated in relation to the so-called “war” exclusion.6
In a recent decision, the United States Court of Appeals for the Ninth Circuit addressed whether a war exclusion applied to claimed losses relating to the relocation of a film production after Hamas fired rockets from Gaza into Israel. The insurer denied coverage based on the policy’s exclusions for “war” and “warlike action by a military force.”
The Ninth Circuit disagreed, holding that “war” “refers to and includes only hostilities carried on by entities that constitute governments at least de facto in character.”7 Essentially, the Court found that while Hamas may have controlled Gaza, it did not “exercise actual control over all of Palestine,” and, as such, its actions did not constitute hostilities between de jure or de facto nations.8 Depending on the policy language and facts, attribution may be another key element in evaluating insurance coverage in this context.
These issues may become more contentious as the fog of cyber actions thickens. In order to adequately protect against and mitigate the risk posed by cyber activity, it is important for companies to have comprehensive coverage for cyber events and related losses. Risk managers, brokers, in-house counsel, and other corporate stakeholders and decisionmakers purchasing insurance coverage for commercial policyholders will therefore want to carefully review any potentially exclusionary language to understand the scope of such exclusions and how they might apply to cyber liabilities and losses which could arise in relation to the current tensions.