With little precedent, cyber war exclusion litigation likely inevitable
Advisen
With little precedent, cyber war exclusion litigation likely inevitable
By Erin Ayers, Advisen
Litigation over cyber war exclusions will inevitably occur, given the lack of established case law and the potential economic losses at stake for companies all over the world as the Russia-Ukraine conflict deepens.
“There’s just no definitive law on the subject,” said Vincent Vitkowsky, partner with Gfeller Laurie LLP. “The burden of proof on exclusions varies from state to state and it’s a very high burden often.”
Only one pertinent court decision has been issued to date. In Merck & Co., Inc., et al. v. ACE Amer. Ins. Co., et al, a New Jersey superior court found pharma giant Merck could recoup losses suffered during the 2017 NotPetya cyberattack under its property policies. The Jan. 13 decision is “early days” and on appeal, Vitkowsky noted.
Applying a cyber war exclusion means evaluating three factors – what were the effects of the event; who perpetrated the attack; and who the victims were, he told Advisen.
Even within that three-point test, though, questions will still arise. Hackers acting in support, but not necessarily on behalf, of a nation-state can wreak havoc. For example, one of the volunteer hackers backing Ukraine could launch destructive or disruptive malware into the wild, affecting thousands of companies.
“I do think there’s been too much emphasis on the ‘act of war’ – that’s not really the trigger. The trigger is, ‘what’s the effect and who’s the actor?’” said Vitkowsky. The attorney has written extensively on the topic, including a Jan. 10 article for Front Page News on cyber war exclusions drafted by the Lloyd’s Market Association (LMA).
The LMA exclusion mark the latest step in a long-term effort by the global insurance industry to set clear boundaries on cyber warfare-related losses. The four wordings issued in November 2021 were the culmination of a two-year project for the LMA.
“I think they’re a work in progress. The perfect ones don’t exist. The LMA ones are pretty good, but it’s not clear they’ll be accepted in the marketplace because they give a lot of benefit of doubt for the insurer,” said Vitkowsky. Attribution of attacks will always be a sticking point, he noted, and the LMA wordings make note of insurers determining attribution on an “objectively reasonable” basis.
In a recent interview with the Wall Street Journal, Tom Burt, Microsoft’s vice president of customer security and trust, described the level cyberattacks the tech giant has seen since Russia invaded Ukraine as “full-on, full-scale cyberwar.” While the onslaught of cyber “trench warfare” hasn’t been particularly sophisticated or damaging to date, they have been “tactically significant,” said experts.
For Western governments, the message to organizations has been urgent and frequently reiterated: take all necessary steps to prevent the knock-on effects of cyber warfare. For insurers and brokers, discussion of cyber war exclusions has reached new heights even though the fears of widespread losses has not come to pass.
“The mass of claims has not come in. I’m not sure they’re going to,” said Vitkowsky. The goal for the standalone cyber market has been to reduce cyber risk aggregation across books of business, whet
“An underwriter doesn’t want to find out they’ve insured every computer in Manhattan in the midst of a cyberattack,’” he said.
