In the latest Weekly Wright Report:
Ukraine/Russia: Cyber Policy Exclusions – Read Now
Ukraine/Russia: Cyber Policy Exclusions
A recent court decision from New Jersey raised an interesting question – what’s in your policy? Specifically, your cyber policy. In the New Jersey case, a major multinational pharmaceutical company was affected by a cyber attack on the Ukraine government. The cyber attack was attributed to Russia and its on-going hostilities against Ukraine. The company sought coverage under an all risks insurance policy for the damage caused to its computer system by the attack. The insurance company denied coverage under its “acts of war” exclusion. The court rejected the insurance company’s argument finding that the cyber attack did not fit within the acts of war exclusionary language.
This raises the question as to whether state sponsored cyber attacks can fall under an acts of war exclusion. Not too long ago, it was contended that North Korea launched a cyber attack against Sony causing a massive data breach and massive damages. The United States government imposed sanctions against North Korea because of the attack, but refused to call the attack an act of war. North Korea hilariously responded to the sanctions by calling the United States an “inveterate repugnancy.”
Cyber policies are relatively new in the insurance world and as a result no strong consensus has developed regarding a standardized policy form. This means that insurance companies will each have their own manuscript polices with widely varying language and exclusions. This in turn raises the need to exercise great care in working with your insurance agent to ensure that you are purchasing the proper cyber liability policy. The differences in provisions from one cyber policy to another can be significant. It is particularly critical to be aware of the limitations and exclusions in such policies.
With the rise of state sponsored attacks and terrorist cyber attacks the act of war exclusion is one of those provisions that should be reviewed because there are broad and narrow provisions. For example, a policy’s exclusion may only preclude coverage for “declared” acts of war. So, in Sony’s case, because of the narrow exclusionary language provision in its policy coverage existed because the United States did not classify North Korea’s alleged actions as an act of war.
Some policies have broader exclusions which might exclude coverage for a much larger category of foreign aggressions than just officially declared wars. For example, some cyber polices exclude losses arising out of “acts of foreign enemies, [or] hostilities (whether war be declared or not).” This broader provision will include a broader group of actions in the exclusion and as a result will lead to a larger chance of denial of coverage. Therefore, in these trying cyber times it is crucial for companies to evaluate their potential exposure to cyber terrorism when obtaining cyber coverage.
If you have any questions regarding insurance coverage issues please contact an attorney in our insurance practice group.