Last week, I was asked about the heightened threats of cyber attacks because of the invasion of Ukraine by Russia. Specifically, the concern was whether the war exclusion typically found in almost all policies might apply to a cyber attack directed or sanctioned by, for example, the Russian government. The difficulty in answering this question is that there is no recognized industry standard language for cyber policies. This requires that this article address the issues in a general way, but hopefully the analysis will be of value when reviewing specific exclusions.
Traditional Property Insurance
ISO’s Commercial Property Causes of Loss forms include a “war” exclusion, but often overlooked is an additional exclusion for “governmental action”:
War And Military Action
(1) War, including undeclared or civil war;
(2) Warlike action by a military force, including action in hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or
(3) Insurrection, rebellion, revolution, usurped power, or action taken by governmental authority in hindering or defending against any of these.
Seizure or destruction of property by order of governmental authority.
But we will pay for loss or damage caused by or resulting from acts of destruction ordered by governmental authority and taken at the time of a fire to prevent its spread, if the fire would be covered under this Coverage Part.
In the case of the “War And Military Action” exclusion, item (3) is unlikely to be triggered because it refers specifically to civil, or intra-governmental, unrest and actions, not loss arising from outside governmental forces. Even though “war” is not defined in this exclusion, item (1) is unlikely to be triggered because common dictionary definitions and much case law consider “war” to consist of “armed conflict between nations or governments.” Arguably, “armed” refers to actual traditional weapons and not programmers and bots.
Item (2) is potentially problematic because it doesn’t necessarily require demonstrable government involvement, just action by “other authority.” That being said, there is a requirement that military personnel be involved and the burden of proof would be on an insurer to successfully assert such involvement. But, again, the action must be “warlike,” which returns us to the consensus that this refers to “armed conflict,” presumably with weaponry beyond bots, viruses, and worms.
Webster defines “military” to include “of or relating to armed forces.” It then defines “armed forces” as “the combined military, naval, and air forces of a nation.” This is rather a circular definition, but it implies that “military” is most often synonymous with the armed forces of a government, something again the insurer must be able to reasonably demonstrate.
The ”Governmental Action” exclusion is a better candidate for application than the ‘war” exclusion. Under this exclusion, property damage need only occur “by order of” a governmental authority. This exclusion has traditional been applied to situations like a condemnation order for a building or the seizure of property under RICO statutes. But that doesn’t mean that this exclusion couldn’t be applied by a court in a broader sense than perhaps originally intended.
However, the biggest obstacle to the application of these exclusions is that the insuring agreement must first be triggered. Under most ISO or similar property forms, that requires that there be “direct physical” loss or damage. As we’ve seen by a significant preponderance of judicial decisions involving COVID shutdowns, the courts generally do not view loss of use to constitute “direct physical” damage. Even under business income forms which expressly cover loss of use, there must first be “direct physical” damage to property. While physical damage to tangible property can occur from a cyber attack (e.g., alleged damage to Iranian uranium enrichment centrifuges), most cyber attacks involve electronic information and/or loss of access or use of equipment.
This brings us to the specific issue of potential coverage, or lack thereof, under cyber policies which are designed to cover loss or damage that does not involve direct physical damage to tangible property.
ISO has a line of cyber coverage forms. Interestingly, these forms include both “war” and “governmental action” exclusions virtually identical to those found in ISO’s property forms. So, the same arguments presented earlier in this article could apply to cyber attacks under these forms.
Non-ISO cyber forms may include an exclusion like this:
Confiscation, nationalization, requisition, strikes, labor strikes or similar labor actions, war, invasion, or warlike operations, civil war, mutiny, rebellion, insurrection, civil commotion, assuming the proportions of or amounting to an uprising, military coup or usurped power.
Another cyber form excludes events based upon or arising from:
…war, invasion, acts of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power, confiscation, nationalization, requisition, or destruction of, or damage to, property by or under the order of any government, public or local authority, provided that this exclusion will not apply to any “act of terrorism” as defined in the Terrorism Risk Insurance Act, as amended.
It is easier to argue that the first non-ISO “war” exclusion cited above may not apply to a cyber attack by a government than the second non-ISO “war” exclusion cited above which refers to “order of any government.” In addition, note that the second example above makes a specific exception for TRIA-type events. Such exceptions may appear under such “war” exclusions or elsewhere in these types of policies, or they may be added by endorsement.
In the case of cyber insurance, there are no accepted industry standard forms or policy language. Coverage truly is “caveat emptor” based. Cyber attacks by a government are likely excluded by many, if not most, of these policies, with the primary exception being potential coverage under TRIA events. Again, that being said, keep in mind that the burden of proof when applying exclusionary language rests with the insurer.
It’s recommended that agents specifically direct questions like this to the carrier’s claims department, not underwriting. Admittedly, the response may be something along the lines of “It depends” or “We don’t respond to ‘hypothetical’ questions,” but the agent, by asking, has likely exercised due diligence in seeking a coverage opinion.
Agents, have you asked your cyber carriers about this issue? If so, what responses did you get? Feel free to respond in the Comments section below.