The conflict in Ukraine has raised significant cybersecurity concerns for businesses in the United States and across the world, resulting in an increased focus on using cyberinsurance to mitigate any resulting losses. The conflict has also caused insurers to turn their attention to a rarely invoked exclusion in insurance policies: the war exclusion. Certain insurers have recently taken steps toward altering the language of such exclusions. As a result, evaluating the applicability of insurance coverage, including the specific language of any war exclusions contained in the policies, is an important first step for businesses as they seek to protect themselves from cyberthreats.
A New Jersey trial court’s recent decision in Merck & Co., Inc. et al. v. ACE American Insurance Co., et al. addressed the application of a type of war exclusion in an “all risk” policy. In 2017, Merck’s computer systems were infected by a malware, called “Notpetya,” affecting computers in countries around the world. The company alleged that the damage spread to 40,000 computers and caused estimated losses of more than $1.4 billion. The company’s “all risk” policies provided coverage for loss or damage resulting from destruction or corruption of computer data and software.
The insurers, however, denied coverage pursuant to the policies’ hostile or warlike action exclusion, contending that Notpetya was an instrument of the Russian Federation as part of its ongoing hostilities against Ukraine. In response, the company argued that significant facts showed that Notpetya was not an official state action but instead a form of ransomware, and that even if it were instigated by Russia to harm Ukraine, the hostile or warlike action exclusion would still not apply.
The court sided with the company, holding that the exclusion was inapplicable under the facts presented. The court noted that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.” The court explained:
[B]oth parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states have become more common. Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks. Certainly they had the ability to do so. Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.
The court concluded that the company’s “position that they did not anticipate that the exclusion would be applied to acts of cyber based attacks reasonably shows that the expectation of the insured was the exclusion applied only to traditional forms of warfare.”
In response to Notpetya, recent adverse decisions, and the growing risk of cyberthreats, certain insurers have taken steps to alter the language of their policies’ war exclusions. For example, Lloyd’s Market Association (LMA) recently released four cyberwar and cyberoperation exclusion clauses with respect to standalone cyberinsurance policies. According to LMA, such clauses are “purely illustrative” and have been drafted to provide Lloyd’s syndicates and their (re)insureds and brokers with “options.”
The LMA exclusion clauses provide that the insurance does not cover loss directly or indirectly occasioned by, happening through, or in consequence of, among other things, “war” or a “cyber operation” that is carried out in the course of “war.” “War” is defined therein as “the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection,” and/or “military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority,” “whether war be declared or not.” “Cyber operation” is defined therein as “the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.” Moreover, the clauses provide that pending any government attribution, “the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation.”
Coverage will depend on the specific language of each policy, the facts of the claim, and applicable law. When procuring coverage, policyholders should be aware of the changing definitions of “war” and “cyber operations” in their cyberinsurance coverage.
Businesses must think proactively and critically when evaluating their insurance coverage programs. Given the complexities of cyberinsurance coverage, the growing risks of cyberthreats to businesses, and swiftly changing standard policy language with respect to war exclusions, it is important to put the right team in place.
Morgan Lewis can provide advice on risk management and loss prevention issues, as well as on understanding your current cyberrisk coverage and gaps and implementing proactive measures to minimize future cyberlosses. After a cyberincident, Morgan Lewis can assist with claim presentment, notices, loss assessments, information gathering, proofs of loss, claim negotiation, and, if necessary, coverage litigation to enforce policyholders’ insurance rights and maximize insurance recoveries.
Our lawyers have long been trusted advisers to clients navigating the complex and quickly changing global framework of international sanctions. Because companies must closely monitor evolving government guidance to understand what changes need to be made to their global operations to maintain business continuity, we offer this centralized portal to share our insights and analyses. To receive the latest updates, subscribe to our Ukraine Conflict: How to Maintain Global Business Continuity mailing list.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Ukraine Task Force
Giovanna M. Cinelli
W. Brad Nes
Kenneth J. Nunnenkamp
Sergio F. Oehninger
Georgia M. Quenby
Carl A. Valenstein
Teri J. Diaz
Jiazhen (Ivon) Guo
Katelyn M. Hilferty
Daniel Lopez Rus
Charles C. Rush