Insurers will help define the threshold for cyberwar
In March 2024, British Prime Minister Rishi Sunak rejected a recommendation by the Joint Committee on the National Security Strategy to establish a backstop for cyber insurance. The proposal urged the government to “work with the insurance sector to establish a re-insurance scheme for major cyber-attacks, akin to Flood Re, to ensure the sustainability and accessibility of the market.”
Sunak asserted that having the government play this role would “damage competition” within the insurance sector. Yet by opting out of the discussion about what constitutes a “major” cyberattack and when the government should help cover some of the costs of such attacks, Sunak and other policymakers have largely left these decisions up to private insurance companies. This could lead to less overall cyber coverage, especially in response to state-backed cyberattacks, than policyholders might want or expect. It also allows the private sector to dictate which cyberattacks are state-backed – or on par with war – and should be covered under insurance contracts.
Reinsurance programmes?
Flood Re is a government-private sector reinsurance programme designed to help make flood insurance more affordable. It is based on the idea that certain types of risk are so widespread, unpredictable, expensive, and unavoidable that private sector insurers cannot manage and pay for them alone but instead need assistance from the government.
The notion that this principle might also apply to cyber risk – that governments might help pay for major cyberattacks by providing some sort of backstop or reinsurance support for insurance carriers – is not new. These types of proposals date back more than a decade, to early conversations about the challenges of insuring cyber risk. However, this topic has taken on greater urgency in recent years as the scale of cyberattacks continues to grow and, more importantly, as insurers have become more cautious about the language in their policies that defines which incidents they will or will not cover.
Insurance policies typically exclude coverage for certain unpredictable or expensive risks, such as war, because insurers don’t know how to model or anticipate these events. It is often unclear how standard war exclusions apply to cyberattacks.
Cyberattack coverage
Insurance carriers have been experimenting with new language governing exclusions to their cyber policies since the disputes following the NotPetya cyberattack of 2017 that caused upwards of US$10 billion in damage, according to some estimates. In February 2018, seven months after the NotPetya attacks, several governments publicly attributed the attacks to the Russian military. This, in turn, prompted a few high-profile denials of insurance claims related to the attacks.
Both the multinational food company Mondelez and the pharmaceutical company Merck had large claims denied on the grounds that NotPetya was a warlike or hostile action by a nation-state. These ‘war exclusions’ were part of the standard, boilerplate language in both companies’ property and casualty policies, which explicitly included coverage for business interruptions caused by malware like NotPetya. However, the insurers excluded coverage for the NotPetya malware because it had been developed and distributed by a government instead of individuals.
Both Mondelez and Merck sued their insurers for denying these claims. Although both suits were ultimately settled, the early rulings in the Merck case offered insurance carriers a strong motivation to change the exclusion language around cyberattacks to make clearer what they do and do not apply to. For instance, in a 2021 ruling in the Merck case, a New Jersey court stated:
…both parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states have become more common. Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks. Certainly they had the ability to do so. Having failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.
This ruling, later upheld on appeal, was a clear call to insurers to change the language in their war exclusions to specify which cyberattacks they cover.
Many insurers moved quickly to do so. For instance, in August 2022, Lloyd’s issued guidance to all its underwriters that “when writing cyber-attack risks, underwriters need to take account of the possibility that state backed attacks may occur outside of a war involving physical force”, as was the case with NotPetya. The guidance further requires underwriters to exclude losses that result not just from cyberwar but also from “state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.”
Insurance firms set the threshold for cyberwar
These new exclusions, and other variations developed by different insurers, have only recently gone into effect. It remains to be seen how contentious they will be, or which types of cybersecurity incidents insurers will try to apply them to. However, it’s evident that insurance companies are selectively excluding certain categories of cyberattacks from their coverage, leaving behind government stakeholders and policymakers who may have wanted to participate in those deliberations. As such, insurance carriers are establishing the de facto standards about what constitutes cyberwar and defining what is considered a major or state-backed cyberattacks.
Sunak’s decision to leave those issues to the insurers could promote more competition among the carriers operating in the cyber insurance market, as he proposes. However, it may also lead to tremendous confusion and disagreement about which types of cyberattacks insurers are willing to cover and who has the final authority to determine whether a nation-state or someone else is responsible for any given cybersecurity incident.
The more that policymakers like Sunak opt out of participating in a reinsurance programme or backstop for cyber risk, the less likely they are to be involved in those decisions. Perhaps that’s a deliberate choice on their part – to step back and let insurers take charge of determining who pays for cyberattacks, who gets to attribute them to nation-states, and which ones are so major and so out of the ordinary that they require different insurance structures. But it’s also, potentially, a missed opportunity for governments to play a more active role in making some of those determinations by expressing early on what exactly they are willing to help pay for, and what they believe the role of the private insurance sector ought to be.