Insurance can act as a key tool in addressing pervasive cybersecurity vulnerabilities, but, according to one report, “Cyber insurance is not yet mature enough to fulfill its potential, partly due to uncertainty about what kinds of cyber risks are, or can be, insured.”
In October, the Carnegie Endowment for International Peace released a report titled “War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions,” which discussed how war and terrorism exclusions create challenges for cyber claims, such as the NotPetya lawsuits involving Merck and Mondelez, and in turn stand in the way of the growth of the cyber insurance marketplace.
This issue, reads the report, came to a head in 2017, when the Russian government conducted the NotPetya cyberattack, which infected hundreds of organizations across dozens of countries. One of the insurance coverage disputes that arose after this event involved war exclusions. Merck and Mondelez in particular sought to get claims for their NotPetya-related losses under their property and casualty policies, which were silent cyber coverage policies, and their insurers pushed back and invoked war and terrorism exclusions. The challenges involved in relying on these exclusions are manifold, says one expert.
“First of all, applying war and terrorism exclusions to cyber claims is very impractical because litigating these types of disputes involves cyber attribution, or determining who was behind an incident and what level of state involvement there was, and that’s a very dicey issue because it’s not always clear cut,” said Jon Bateman (pictured), fellow of cyber policy initiative, technology and international affairs for the Carnegie Endowment for International Peace, and author of the new report.
The second problem is that war exclusions are often very ambiguous. Even the phrase ‘hostile or warlike’ has never been applied to a cyber incident before, so it’s unclear whether that would be a very broad or very narrow interpretation, Bateman pointed out. The third issue is that war exclusions are not well aligned with cyber risk, in that they’re both over-inclusive and under-inclusive.
“They could potentially bar coverage for a lot of pretty insurable incidents, like your typical state-sponsored cyber breach, which happens every day and is not necessarily very catastrophic,” said Bateman. “But on the flip side, they actually don’t protect insurers from exposure to some pretty catastrophic scenarios that don’t involve states, whether it’s independent hackers, insiders, accidents, criminals, or natural disasters that have some kind of cyber consequences.”
To address these problems, Bateman has compared and contrasted the various proposed solutions, though he’s careful to note that because of the disparate views in the insurance industry on this issue, it’s difficult to gain consensus on the best way forward. His overarching recommendation, however, is to stop using war as a proxy for catastrophic risk and, instead, simply create a new exclusion for catastrophic risk.
“That would apply in war or in peace, that would apply whether we’re talking about a malicious or non-malicious event, like an accident or a natural disaster, and it would really be focused on basic principles of insurability as something just going beyond the capacity of the market to bear,” he explained, adding that once that’s in place, “You don’t need to get into these gnashing disputes about what’s war, what’s not war. You still may want to have some kind of war exclusion, but it would be a much narrower one, focused on some sort of unique problem.”
In the paper, Bateman has crafted a focused new war exclusion for cyber claims, which is narrowly targeted on the cyber aspects of kinetic war. What’s unique about his proposal is that it doesn’t require any attribution of who was behind the incident, or any characterization of the role that the incident is playing in some kind of conflict.
Notably, this report was released at a critical time for the insurance industry, as it battles business interruption lawsuits around the world. Bateman sees parallels between war exclusions in cyber policies, and coverage for the pandemic risk.
“They’re basically new forms of aggregated or correlated risk that can spread very quickly and globally due to the types of interconnections that we have today,” he told Insurance Business. “In the pandemic, it’s travel and globalization; in the cyber category, it’s IT and the internet. We’re living in a world where the amount of aggregation risk that could happen very unexpectedly is quite high and difficult to manage.”
In both of these cases, there are also issues of underinsurance and ambiguities in coverage. The kind of pandemic insurance category revolving around business interruption doesn’t exist, which has created uncertainty about some of the exclusions being fought over today, which is similar to the cyber problem.
Another parallel is the role of governments in each risk. For natural disasters and acts of terrorism, there’s a playbook where victims first invoke their insurance policies and if that’s not enough, they turn to their governments for emergency appropriations, disaster relief, terrorism compensation, and the like.
“For pandemics, that two-step broke down – insurance really wasn’t there and governments had no idea what to do, and they had to scramble to figure out ‘how are we going to compensate people or get money flowing into the economy?’ There was no established framework,” said Bateman. “That lack of a framework is what I’m trying to point out [in the report] – if there were to be a major cyber disaster of epic proportions, which I think everyone agrees is quite possible, we would today be in a similar situation where insurance is very limited and ambiguous, and governments simply don’t have a framework in place.”
