Two recent lawsuits have thrust the once sleepy topic of war risk exclusions into the forefront of insurance coverage issues. The policyholders in those cases had suffered ransomware attacks from a high-profile malware. The insurance companies in each case invoked exclusionary language that is decades old and has largely remained unchanged despite the evolving risks. Like the property policies at issue in those cases, cyber insurance policies also contain war risk exclusions. And the war risk exclusions in cyber policies tend to have the same basic exclusions as in property insurance policies.
Common Components of War Risk Exclusions
The war risk exclusion in typical property and cyber insurance policies is, or is derived from, the wording used in historic real property insurance policies. The language was drafted with traditional property risks in mind and with conventional warfare being the primary focus of the exclusion. For example, the Insurance Coverage Litigation Committee (ICLC) has stated that the typical war exclusion in use most commonly today derives from a fire insurance policy dating back to the 1940s:
This company shall not be liable for loss by fire or other perils insured against in this policy caused, directly or indirectly, by: (a) enemy attack by armed forces, including action taken by military, naval, or air forces in resisting an actual or an immediately impending enemy attack; (b) invasion; (c) insurrection; (d) rebellion; (e) revolution; (f) civil war; (g) usurped power.
According to the article, that clause was expanded to include the longer list of items typically listed in property and crime policies today. One example states that insurance coverage is excluded for loss from:
- War, including undeclared or civil war;
- Warlike action by a military force, including action in hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or
- Insurrection, rebellion, revolution, usurped power or action taken by governmental authority in hindering or defending against any of these.
The wording of the exclusions expressly contemplates government action using conventional methods of warfare, including with armed forces. Cyber policies, of course, are intended to provide insurance coverage for a different set of risks and for property that is sometimes excluded under property policies and crime policies. It is not surprising that the war risk exclusion has not effectively worked for insurance companies that cited it in cyber loss cases.
Mondelez and Merck Lawsuits
Two recent cyber loss scenarios ended up being litigated after the two different insurance companies in each case denied coverage based on a war exclusion. In one case, Mondelez Int’l, Inc. v. Zurich Am. Ins. Co., 2018 WL 4941760 (Ill. Cir. Ct. filed in 2018), Zurich denied coverage when Merck sought coverage for its losses from the NotPetya ransomware attack. Food and beverage giant Mondelez suffered an array of losses, including to computer hardware. Merck sought coverage under its property policy for such losses and Zurich denied, claiming the NotPetya attack was a state-sponsored attack linked to Russia. Zurich cited the war risk exclusion in support of its denial.
The key wording relied upon by Zurich in denying coverage was:
2) a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any:
(i) government or sovereign power (de jure or de facto);
(ii) military, naval, or air force; or
(iii) agent or authority of any party specified in i or ii above.
The wording again is focused on government and military action.
Mondelez settled in 2022. Remarkably, the settlement was after trial and closing arguments. The parties did almost everything other than let the jury render a verdict. Experts and numerous other witnesses testified about the details of the NotPetya attack. Opinions have been offered as to the motivations of the parties to settlement at that point in the case. One takeaway is that the exclusionary language at issue did not clearly apply to the facts, leaving the parties uneasy about a verdict.
The other high-profile case that involved an insurance company’s reliance on the war risk exclusion to deny coverage for a NotPetya ransomware attack was Merck & Co. v. Ace Am. Ins. Co., Case No. UNN-L-2682-18 (N.J. Sup. Ct. Union Cty. filed in 2018). Merck involved similar wording and the same, or effectively the same, ransomware as Mondelez. Merck had suffered losses that included needing to replace approximately 40,000 computers in 64 different countries. It involved a common property insurance policy for commercial property that included a war risk exclusion. The exclusions generally stated the same wording which was that coverage for loss from the following was excluded:
A. 1) Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack:
a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval or air forces;
b) or by military, naval, or air forces;
c) or by an agent of such government, power, authority or forces;
Based on the language and the facts of the NotPetya attack, the trial court held that “Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.” Several commentators have focused on the various facts surrounding whether the NotPetya attack was established to be malware released by the Russian government. The malware allegedly was released on the eve of Ukraine’s Constitution Day in 2017. While these observations highlight that Russia was the source of the malware, they do show that it was part of a war. They also do not address the question of how the actions of Russia were an attack on U.S. corporations or their property. If anything, the observations are that there may have been release of malware possibly intended for the Ukraine that irresponsibly was permitted to reach U.S. corporations.
Merck appealed the decision. In May 2023, the New Jersey appellate court ruled that:
The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action. The exclusion does not state the policy precluded coverage for damages arising out of a government action motivated by ill will.
Merck & Co. v. Ace Am. Ins. Co., No. A-1879-21, 2023 WL 3160845, at *7 (N.J. Super. Ct. App. Div. May 1, 2023).
Thus, the case law to date holds that the war risk exclusion commonly found in property polices ― which is extremely similar to the exclusion commonly found in many cyber policies ― excludes warlike action by a government or sovereign power. It does not exclude malware or ransomware attacks.
The rulings are good news for policyholders. Insurance companies can be expected to react, however. The reaction may include adding exclusions at renewal.
Lloyd’s Market Reaction
After the decisions, Lloyd’s Market Association (LMA), the organization that administers the Lloyd’s insurance marketplace in London, issued guidance in a Bulletin on Nov. 25, 2021. The Bulletin (Bulletin LMA21-042-PD) requires that Lloyd’s cyber policies contain cyber war risk exclusions for all policies issued after March 1, 2023. Lloyd’s essentially is requiring new exclusionary language in London market policies going forward in order to limit coverage beyond the war exclusions already in cyber policies.
LMA provided four model exclusions called “War, Cyber War and Cyber Operation Exclusion No. 1,” etc. LMA does not require that they be used. Comparable exclusions may be used. There are a few common points about each of the proposed exclusions.
Each of the exclusions turns on “attribution.” Attribution appears to mean that a particular ransomware attack can be attributed to a particular government. The exclusions contain differing levels of attribution and the response of a government in the nation that appears to be the target of a given cyber attack can play a leading, if not determinative, role under the exclusionary wording.
For example, under one version of the exclusions, the cyber event causing the policyholder’s loss must be attributed to a state-sponsored actor in order for the exclusion to apply. The primary factor suggested in determining whether the cyber attack was undertaken and executed by a state-sponsored actor is whether the state in which the attack was suffered attributes the attack to another state, government or state-sponsored actor. It is not clear what level of government must issue what type of statement of position that blames another government or specific state-sponsored actor. Because the requirement is in an exclusion, it will be the insurance company’s burden to prove the facts establishing “attribution,” as well as the various other components in the exclusions.
Some of the language in the proposed exclusions would permit other factors to be considered. It remains unclear the extent that other factors will be important. Certain requirements in the exclusions focus on whether a state or government was at war and whether it suffered detrimental impact from the cyber attack.
As Lloyd’s has only required these exclusions since March, it is a relatively new problem. Most policyholders will have only had deal with the issues at renewal. Losses will inevitably come from future cyber attacks and coverage will be sought under policies containing these or similar exclusions. While there may some scenarios in which they apply, it may turn out to be a relatively limited set of situations that are truly excluded from coverage.
Domestic Insurance Companies May React
No market-wide edict has been issued requiring the addition of exclusionary language in policies sold to policyholders in the U.S. However, there could be reaction from U.S. insurance companies that also want to add exclusionary language into cyber policies, and possibly property and crime policies.
For cyber policies in particular, the addition of language, or revision of the existing war exclusions, could present the insurance companies with significant challenges. While war risk exclusions have been in policies for years, cyber policies are relatively new in comparison to the history of property and crime policies. Perhaps more importantly, cyber policies are not form-based. There is no industry standard form from which most policies are derived (like it is here with general liability and many other forms of coverage). Even if forms have been offered, they are not widely adopted by insurance companies.
Instead, most insurance companies offering cyber policies have developed their own wording. The cyber policies across the market contain many of the same parts or types of coverage (e.g., incident response, business interruption or security breach liability), but the precise wording of those types of coverage within a given policy can vary significantly.
Adding or revising exclusionary language will not be one-size-fits all. Each insurance company may need to develop different exclusionary language that functions differently within different policy wording. Additionally, whether the policy is a dedicated cyber policy as opposed to an E&O Tech (errors and omissions technology risk) policy will lead to distinctions in wording. The many variables can add up and mean that having industry-wide exclusionary language is not workable. But that may leave all parties, and courts, with uncertainty in applying any given insurance companies newly drafted exclusionary language to the next generation of cyber attacks. Almost all cyber attacks cross borders, often by design, but are not acts of war or state sponsored.
Policyholders should be prepared to push back at renewal. They also should be prepared to press for the coverage they purchase in the event of a cyber attack. Insurance companies may want to exclude losses or portions of claims for coverage, and ultimately may not be justified in doing so.