Search for insurance help

War & your Cyber Insurance: How your policy can change

The invasion of Ukraine by Russian forces has put most of the world’s nations on edge, fearing a host of potential impacts from rising prices to assured mutual destruction should nuclear weapons be deployed.
While the full impact of the conflict remains to be seen, world governments are presently warning of the increasing possibility of cyber-attacks from foreign assets. This is a non-military route of retaliation for sanctions placed on Russia by nations across the globe.
 
Are Policies Worded to Include Damages from Cyber-Attacks?
A significant concern among Australian businesses is not if the cyber-attacks will happen but if such attacks are excluded from cyber insurance policies. There is a legitimate concern regarding a lack of historical precedence and the consistently evolving technology producing new vulnerabilities. The fear is that significant gaps in the policy language may leave businesses to absorb at least some of the costs associated with cyber-attacks.
 
Coverage Determined by Policy Language and Circumstances Surrounding the Attack
Because of the unprecedented nature of these circumstances, predicting cyber insurance policy exclusions is challenging. While several factors are at work, one of the critical language concerns is whether or not a cyber-attack is an act of war or a criminal endeavour apart from international conflict.
The majority of insurance policies have clauses excluding payment for damages caused by acts of war.
To determine if a policy excludes the type of attacks that governments believe would come from Russia, exploring how ‘war exclusion’ is defined in insurance policies is necessary.
War Exclusions pertain to losses that come from:
  • War, including undeclared or civil war
  • Warlike action by a military force
  • Defence against an attack (or expected attack) by a government, sovereign or authority using military personnel or other agents
  • Rebellion, revolution, insurrection, or usurping of power
  • Actions that a government takes to defend against the attempted revolution, rebellion, or insurrection
According to this definition of acts of war, acts of cyber-terrorism would be covered by cyber insurance policies.
However, inclusions and exclusions to coverage depend on whether the actions taken against a business via computer are defined as cyberterrorism.
For insurance purposes, cyberterrorism includes disruptive activities used indirectly or directly against a computer system
  • By an individual or group of individuals with the intention to,
  • Cause harm
  • Intimidate persons
  • Further political, religious, ideological, or social causes
  • The explicit threat by an individual or group of individuals to carry out such activities with the intent to cause harm and disruption
  • By definition, acts of cyberterrorism are not aligned with any activities that support military operations, acts of war, or warlike operations

Management Liability insurance is designed to provide protection to both the business and its directors or officers for claims of wrongful acts in the management of the business.

A business insurance pack can provide cover for your business premises and contents, against loss, damage, theft or financial loss from an insured interruption to the business.

Purchase up to six products under one Business Insurance Package. 

  • By an individual or group of individuals with the intention to,
  • Cause harm
  • Intimidate persons
  • Further political, religious, ideological, or social causes
  • The explicit threat by an individual or group of individuals to carry out such activities with the intent to cause harm and disruption
  • By definition, acts of cyberterrorism are not aligned with any activities that support military operations, acts of war, or warlike operations
Interpreting the exclusions involves looking at the details surrounding the loss based on what the typical person would define as war. For example, a war would commonly be defined by the presence of uniformed military, heavy armaments, a battle plan or other attack strategy, and a concerted effort to organise activities against another group or nation.
The fact that this type of insurance issue has not played out in court increases the concern that attempts to sue insurance companies could fail. The facts surrounding a cyber-attack and how courts interpret them will be instrumental in determining whether the acts of war exclusion are valid and may become a situation judged on a case by case basis.
 
Case Study:
One of the cases with elements similar to the present situation played out in a United States court in late 2021. The case was filed by pharmaceutical company Merck in response to its property insurer invoking the acts of war exclusion on a claim stemming from a 2017 cyber-attack.
The attack was a part of hostilities by Russia against Ukraine and disrupted Merck significantly. The company’s losses were approximately 1.4 billion US dollars.
Merck won its suit against its insurer because the insurance company did not list cyber-attacks as part of the acts of war exclusions list. The court noted that Merck had the right to expect payment because the policy described exclusions based on traditional forms of war.
The case leaned on the idea that cyber-attacks made against third parties uninvolved in a military conflict should not trigger the acts of war exclusion because the victim did nothing to put itself in harm’s way.
It is worth noting that decisions handed down from United States courts may have little influence in Australian court cases.
During the present military conflict, fears are easily stoked. However, it is best to stay calm and focus on what can help your tech stay safe. Make sure your firewalls and security systems are running at peak efficiency. Train your employees regarding extra safety measures you may implement and avoid any unnecessary online risks.
If you have questions or concerns regarding your cyber insurance policy or other matters, please do not hesitate to contact Grace Insurance. Our team of professionals are here to answer your questions and make sure all facets of your business are well protected.
General Advice Warning: This advice is general and does not take into account your objectives, financial situation or needs. You should consider whether the advice is appropriate for you and your personal circumstances. Before you make any decision about whether to acquire a certain product, you should obtain and read the relevant product disclosure statement.

All information above has been provided by the author.


Frans du Plessis, Grace Insurance, ABN 63 133 156 742, AFSL 233750

This article originally appeared on Grace Insurance Blog and has been published here with permission.

Comments (0)

Related insurance brokers

Review rating
168 reviews

Featured Featured

Daniel Ufer

Priority Insurance Brokers

  • Typically replies within
    a few minutes
  • Review rating
    26 reviews

    Featured Featured

    Tony Venning

    Crucial Insurance and Risk Advisors

  • Typically replies within
    a few hours
  • Review rating
    27 reviews

    Featured Featured

    Abbie Wilson

    National Insurance Brokers

  • Typically replies within
    a few hours