Will insurance coverage be kicked to the curb for state-sponsored cyberattacks?

It has been estimated that agents of foreign governments are responsible for approximately one-third of all cyberattacks. Due to the significant resources at their disposal, state-sponsored actors pose a particularly significant threat. They can penetrate the most sophisticated defenses and cause substantial damage to targeted companies.

For the past 25 years, cyber insurance policies have covered state-sponsored cyberattacks to the same extent as attacks by private threat actors. But this protection is being eroded as insurers attempt to rewrite the War Exclusion to apply to peacetime cyberattacks that have a major detrimental impact. If the revised War Exclusion is accepted by the market, it will create a significant gap in cyber insurance coverage.

The revised War Exclusion

The War Exclusion has been a standard feature of insurance policies for more than 100 years. In its traditional form, the exclusion bars coverage for losses arising from "war, invasion, acts of foreign enemies, hostilities or warlike operations (whether war is declared or not), military power, civil war, rebellion, revolution or insurrection." 

While the provision contains some vague terms with potentially broad meanings - such as "hostilities" and "acts of foreign enemies"- under established principles of policy interpretation, exclusions must be construed narrowly, with any ambiguity resolved in favor of coverage. Consistent with these principles, courts have held that the War Exclusion applies to acts akin to war -- i.e., use of military force by nation states or quasi-state entities. No court has ever applied the War Exclusion to a cyberattack.

The terms of coverage would be altered by the revised War Exclusion. Its origin can be traced to a 2022 bulletin issued by Lloyd's underwriters recommending that the scope of the War Exclusion be expanded in two ways. The first expansion would bar coverage for cyberattacks conducted as part of an actual war. This change aligns with the purpose of the War Exclusion and should not be objectionable to policyholders.

The second expansion would bar coverage for state-backed attacks that significantly impair the national security of another nation or the ability of that nation to function. This change would apply to a truly devastating attack that is the functional equivalent of war. Notably, the 2022 Lloyd's guidance left coverage in place for all but the most extreme state-backed cyberattacks.

Who should bear the cost?

But as insurers have rewritten their policies to conform with the guidance from Lloyd's, they have expanded the War Exclusion even farther. Many policies now exclude coverage for peacetime cyberattacks backed by a foreign government that have a "major detrimental impact" on "essential services" in another country. The definition of "essential services" varies from policy to policy, but typically includes financial markets and institutions, healthcare services, and utility, food, energy and transportation services. These are broad terms without fixed meanings, and it is easy to imagine an insurer denying coverage for an incident that causes regional disruption to an energy grid or transportation hub or other public infrastructure.

What is most problematic about the revised War Exclusions is that they would eliminate coverage for peacetime incidents unrelated to any war. The purpose of these exclusions is to protect insurers from the financial burden of an incident with widespread impact that leads to claims from multiple policyholders. Maintaining the solvency of insurance companies is an important goal, but insurers can accomplish it in other ways - for example, by charging premiums commensurate with risk and avoiding an over-concentration of policyholders in the same location or market niche.

From a public policy perspective, it does not make sense to have US businesses, as opposed to their insurers, bear the cost of state-sponsored cyberattacks that cause widespread harm. The resulting losses could cripple individual businesses, whereas insurers are able to spread the loss among all their policyholders - which is the very purpose of insurance.

Options for policyholders

How should policyholders respond to insurer attempts to modify the terms of the War Exclusion? We offer three suggestions.

First, companies can shop for coverage from a different insurer. There are still some insurers whose cyber policies maintain the traditional version of the War Exclusion, which does not apply to cyberattacks.

Second, companies can negotiate with their insurers over the terms of the modified War Exclusion. In particular, insurers should be willing to conform the exclusion to the original Lloyd's guidance, which would exclude only the most extreme cyberattacks that have truly devastating effects.

Third, this is an issue on which policyholders and insurers can work together to seek support from the US government. If a foreign country sent covert agents to raid US corporate headquarters - disabling computer networks, making ransom demands, and stealing sensitive data - it would be viewed as a national crisis that our government would be forced to address. Yet foreign countries are constantly conducting equivalent raids via cyberspace. Our government is unable to prevent these attacks but could provide financial support to preserve the availability of insurance for the victims.

Some commentators have proposed that the US government establish a reinsurance program to reimburse insurers for claim payments (above a certain dollar threshold) for state-backed cyberattacks causing widespread harm. Congress enacted a similar program for losses caused by acts of terrorism following the attacks of Sept. 11, 2001. It is certainly in the national interest to ensure that US companies have the financial resources to recover from cyberattacks by foreign governments.