Cyber attacks are now a routine part of the corporate landscape. Businesses regularly defend against or succumb to cyber infiltrations and data exfiltrations that can result in hundreds of millions of dollars of loss. The losses obviously are not confined to property and information — the businesses involved also must endure business interruption and loss of income, the expense of investigation and correction, potential defense of litigation, along with the inevitable waste of addressing non-productive activities.
Somewhat more recently, there has been a growing incidence of actual or suspected cyber attacks sponsored by foreign states or groups with ideological, religious, or political objectives. Most recently, hacking attacks are alleged to have been carried out by the government of North Korea. In addition, the Chinese People’s Liberation Army Unit 61398 (PLA 61398), a specialized Chinese Army unit alleged to be devoted to widespread cyber attacks and breaches, is an alleged source of similar attacks. Likewise, the Russian government allegedly has carried out disruptive cyber operations. This May, a federal grand jury returned a 31-count indictment against 5 believed PLA 61398 operatives for criminal offenses including “intentionally accessing and obtaining information from a protected computer,” “intentional damage to a protected computer,” and “aggravated identity theft.”
Of course, cyber insurance has developed to help provide protection against the financial consequences of cyber events, and many such events are clearly covered. What is much less clear under many policy wordings is the extent to which cyberwarfare, cyberterrorism and cybervandalism are covered.
War and terrorism are classic candidates for exclusion from insurance coverage in general (i.e., not only cyber insurance). Essentially, this is because war and terrorism result in highly correlated losses, which threaten to eliminate the “pooling” advantage of insurance. If nearly everyone in the risk pool suffers a loss, such as might occur in the event of war, then insurance will not effectively dissipate the risk. Instead, insurers are likely to be inundated with losses, which virtually guarantees that coverage in the future will be curtailed or eliminated completely. In some lines of insurance, write-backs of coverage for war or terrorism are available, or coverage might be available on a government-sponsored basis.
The key to determining your coverage is, of course, your policy language. War and terrorism, and particularly cyberwar and cyberterrorism, are what the policy says they are.
A prominent definition of “War” (appearing both inside and outside the cyber context) is:
“War, invasion, act of foreign enemy, hostilities or warlike operations (whether declared or not), civil war, mutiny, civil commotion assuming the proportions of or amounting to a popular rising, military rising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against these actions.”
This arguably is a rather broad definition, but it is highly questionable whether it would apply, for example, to alleged state-sponsored covert actions. Cyber attacks are not conventional “warlike” acts, and are not likely to implicate the particularly widespread loss across the entire risk pool that a correlated loss exclusion is intended to prevent. Particularly if a policy contains a broad write-back to provide for cyberterrorism coverage, a war exclusion almost certainly would not apply to such a situation.
A prominent cyber insurance form defines “Cyberterrorism” as:
“The premeditated use of disruptive activities against any computer system or network, or the explicit threat to use such activities, with the intention to cause harm, further social, ideological, religious, political or similar objectives, or to intimidate any person(s) in furtherance of such objectives.”
Depending on the coverage provided, this definition either describes the boundaries of an exclusion (when cyberterrorism is excluded), or alternatively describes the scope of coverage when cyberterrorism coverage is written back (when the war exclusion is specifically limited so as not to include cyberterrorism).
It is important to note several things about this definition of cyberterrorism and others like it:
- It suggests the need to establish some evidence of “premeditated” activities and “specific intent” to cause harm or further other goals. Nevertheless, in most cases of cyberterrorism (if disputed at all), this is likely to be relatively easy to prove. For example, one could establish advanced, persistent threats through circumstantial evidence if not direct proof.
- It can be contended that the definition does not require a social, ideological, religious or political (or similar) objective – but that the definition is met simply by the intent “to cause harm.”
Obviously this is a two-edged sword. If cyberterrorism is excluded, then a broad and potentially open-ended definition is something that one would rather avoid. If cyberterrorism is covered, then such a definition is useful to the policyholder. Under either circumstance, however, it might be preferable to achieve clarity so that both the policyholder and the insurer have a better understanding of exactly what is covered before a loss occurs.
Depending on one’s policy wording, a circumstance that might require further study is Cybervandalism. Cybervandalism can be described as an attack that is not necessarily carried out for any particular ideological or other purpose, but is akin to spraying graffiti on a wall – hacking for the sake of hacking. The authors are not aware of policy forms that expressly account for cybervandalism as a distinct cause of loss, but ordinary rules of policy interpretation would require such a cause to be generally covered if within the scope of coverage and not very clearly excluded.
A somewhat new exclusion in the cyber context is the “Government Action” exclusion. One formulation excludes loss:
“Arising out of, based upon or attributable to any seizure, confiscation, nationalization, breach of security, use, misuse or destruction of a Computer System or Electronic Data by or on behalf of any governmental, military, enforcement or other public body or authority; whether or not any other cause or event contributed concurrently or in any sequence to any resulting loss, injury, damage, costs, expenses or other amounts.”
Policies should be scrutinized carefully to determine how they will respond in the event of a cyberwarfare, cyberterrorism, or cybervandalism event. The market for cyber insurance is in a state of constant change. A prudent course of action for a policyholder to take is to review existing and future proposed policy wordings with its advisors in order to position itself for maximum protection.