The steady stream of cyberattacks targeting U.S. companies compels the private sector to develop enterprise-wide prevention, mitigation, and response strategies. Companies now implement multilayered strategies to stop as many cyberattacks as possible from penetrating their outer defenses. When those efforts fail, they rely on plans to minimize and recover from losses. As an embedded part of that strategy, many industries use cyber insurance to minimize financial losses.
However, the onslaught of attacks emanate from more than the criminal underground. U.S. government officials and security analysts have implicated North Korea, Iran, Russia and China in advanced, persistent cyber campaigns targeting critical infrastructure and government networks. With the rising frequency of state-sponsored attacks, many companies have questioned whether their policies can respond to these events. Will cyber insurance pay off, or will carriers exclude claims under the War Exclusion?
Unfortunately, there is no bright-line rule to define war, no less war in cyberspace. However, a careful review of the language used and past history indicates that the War Exclusion language in cyber insurance policies may not be the exception that swallows the rule, as some have feared.
State-sponsored attacks pose a near impossible problem for the private sector, as they face a foe with essentially unlimited resources and little concern about being punished for the actions. Not every hostile act is captured by a typical War Exclusion. Instead, the exclusion derives from a history of armed conflict that provides guidance on its parameters.
A typical War Exclusion in an insurance policy serves to preclude the recovery of loss or damages:
directly or indirectly occasioned by, happening through or in consequence of war, invasion, acts of foreign enemies, hostilities (whether war be declared or not), civil war, rebellion, revolution, insurrection, military or usurped power or confiscation or nationalization or requisition or destruction of or damage to property by or under the order of any government or public or local authority.
Why Policies Include the Exclusion
The War Exclusion commonly appears on insurance policies to protect carriers from bankruptcy that would result from nationwide losses arising out of acts of war, which could occur over a broad geography and for several years. Ambiguity comes from attempts to apply the same exclusionary language that once addressed for merchant marine vessels sunk by enemy fleets. Invoking the War Exclusion begs the fundamental question: What is cyberwar, and how do we know if it is occurring?
Traditionally speaking, acts of war and warlike hostilities serve a military purpose and invite a military response. Such acts entail direct threats to life or destruction of property. Cyber threats, however, can have grave consequences without the tangible outcomes. For example, disrupting financial institutions or the power grid could endanger national and economic security and potentially invite a military response. However, thus far most cyber exploits – even those sponsored by foreign nations – have not resulted in an acknowledged military response and so arguably are not acts of war or hostilities. The theft of U.S. trade secrets or intellectual property is problematic, but espionage has a long history among friends and foes without being considered war. Stealing customer data or publishing private emails falls even shorter, as that tends to be driven mostly be financial motives.
Who is an enemy?
For there to be an act of war or warlike hostilities, a sovereign nation (or quasi-sovereign nation with similar qualities) must either engage in the hostilities or endorse the specific act committed by non-governmental groups or individuals. General support from a state, like financial assistance or training, will not create a proxy with a non-government actor. However, demonstrating that relationship is more difficult for cyber events where attribution is often not clear. Even when all evidence points to a nation state, the accused usually responds with protests of denial.
Designating a hacker as a foreign enemy raises other issues. In traditional warfare, a nation could detain an enemy for the duration of hostilities. What circumstances could justify holding a hacker without a trial for the duration of cyber campaigns? Given murky parameters and grave ramifications of charging a foreign nation with an act of cyber warfare, carriers may have a difficult time convincing a court of a nation state’s culpability without a prior finding by the U.S. government.
Cyber crime is not going to become any less complex in the near future, nor is its pace going to slow. The involvement of foreign nation states makes combatting cybercrime even more difficult, as it delves into uncharted territory and complicates the issues.
While that lack of clarity creates concerns over the War Exclusion, insureds should appreciate that an instance of cyber warfare would be an extreme event. Any triggering of the War Exclusion for a cyber event should rely on high-level government determinations and not individual opinions. Using these guidelines, insureds should continue to view cyber insurance as an important component for responding to most cyber threats, even those carried out by nation states. In turn, carriers should support their clientele by recognizing that application of the War Exclusion should be reserved for rare moments in history.
Matthew McCabe is Senior Vice President for Network Security and Data Privacy at Marsh FINPRO. Brian and Matt are also senior fellows at the George Washington University Center for Cyber and Homeland Security.