Skip to content
Y M L P-201

Y M L P-201

Business Will Do Anything

Primary Menu Y M L P-201

Y M L P-201

  • Business Insurance
  • Business News
  • Insurance News
  • Sky Business
  • Upi News
  • About Us
    • Advertise Here
    • Contact Us
    • Privacy Policy
    • Sitemap
  • Insurance News

Russian Invasion of Ukraine, Cyberattacks, and War Exclusions in P/C Policies

2 months ago magenet

The Russian invasion of Ukraine may result in cyberattacks causing widespread and severe losses, in those nations and beyond.

Even before the current invasion, some Russian cyberattacks aimed at Ukraine spread to other nations. The most prominent of these was the NotPetya attack in 2017. NotPetya was the name given to a strain of one of the most destructive types of malware, known as “Wiper” malware, which is designed to functionally destroy computers by wiping their contents completely. It was designed to spread to other computer networks, and did. It caused an estimated $10 billion in losses throughout the world. (NotPetya will be discussed in greater detail later in this paper.)

The current threat matrix is multidimensional. Russia may intentionally target companies in the United States, Europe, Australia, Japan and elsewhere, in response to support given to Ukraine, and in retaliation for the economic sanctions that have been imposed. If the war drags on or escalates, Russia may seek tactical or strategic benefit by increasing the overall level of distress in other nations. After the conflict ends, however it ends, Russia will be the object of extreme resentment and suspicion. It may launch cyberattacks to increase disorder, believing that an environment of disorder would best serve its position as a significant power.

In addition to the nations in conflict, cyberattacks could be launched by groups affiliated with them, as well as independent groups sympathetic to one of them. Cybersecurity analytics firms estimate that approximately 10 hacking groups are currently assisting Russia. And Ukraine has publicly called for an international “IT army” of volunteer hacker groups. It is estimated there are at least twenty-two such groups currently assisting Ukraine.

Related Posts:

  • Russian Invasion of Ukraine, Cyber Attacks and War Exclusions in P/C Policies

The threat is enhanced by the increased availability of “zero click vulnerabilities.” These are cyberattacks that can enter networks without the victims doing anything, such as clicking on a link, or without using compromised credentials. They include vulnerabilities such as Solarwinds, Log4j, and Pegasus.[1] Compounding this threat, in recent weeks researchers have discovered a Russian cyberweapon called HermeticWizard, which is a new strain of software deigned to autonomously spread another strain, HermeticWipe, to other computers in a network. That is, it has capacities similar to the NotPetya malware.[2]

Even without intentional design, malware can break “into the wild,” infecting other networks and causing the kind of “collateral damage” to innocent parties that is a feature of traditional warfare.

Property and casualty insurers face potential exposure to losses from cyberattacks that directly target or indirectly reach their insureds in the United States and elsewhere in the world. This paper addresses the extent to which War Exclusions may mitigate that exposure.

Modern “War Exclusions”

The term “War Exclusion” is a misnomer. Over the years, War Exclusions have come to apply to much more than traditional war between sovereign nations. There are countless variations in title, language, and the scope of coverage in provisions used by different insurers, and in different lines of business. Several Exclusions are used broadly. Others are bespoke. Yet with this understanding, for ease of reference, when referring to these provisions in general or collectively, this Paper will use the term “War Exclusions.”

Any analysis of the issues addressed in this Paper must focus on the specific War Exclusion at issue.

Some of the frequently used terms and phrases used in War Exclusions of potential relevance here include the following:

  • war
  • hostilities
  • warlike operations (whether declared or not)
  • military operations
  • military or usurped power
  • damage to property by or under the order of any government
  • acts of foreign enemies
  • any action taken to hinder or defend against these events, [or alternatively]
  • action in hindering or defending against an actual or expected attack by any government, sovereign or other authority using military personnel or other agents.

There is one commonly used form of special interest, because it appears in many all-risk property policies that might be implicated in cyber losses. It is at issue in the two prominent pending litigations described below. It provides in relevant part as follows:

Hostile/Warlike Action Exclusion

Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combatting, or defending against an actual, impending, or expected attack:

  1. by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval or air forces;
  2. or by military, naval, or air forces;
  3. or by an agent of such government, power, authority or forces.

This policy does not insure against loss or damage caused by or resulting from [the perils in the Exclusion above] regardless of any other cause or event contributing concurrently or in any other sequence to the loss.

Current Prominent Litigation

Both of the prominent cases currently in litigation address the application of the Hostile/Warlike Action Exclusion to cyberattacks. Both arose out of the NotPetya cyberattack in 2017.

In the NotPetya cyberattack, Russia sent malware to at least several dozen Ukrainian companies. It was disguised as ransomware, similar at first view to an earlier ransomware attack called Petya. But the new strain was really “wiperware”. That is, it automatically encrypted the victim’s data, permanently and inalterably. Essentially, it obliterated the data in the victim’s systems. It was designed to spread to other networks automatically, rapidly, and indiscriminately, and it spread throughout the world. It was so indiscriminate that it infected the network of the Russian state oil company, Rosneft. It is estimated that NotPetya caused approximately $10 billion in losses, including more than $1 billion in losses to three separate organizations in the United States.

The first prominent litigation is Mondelez Int’l, Inc. v. Zurich Am Ins, Co.,[3] in which an American confectionary, food, and beverage company asserts it suffered over $100 million in damages because of the loss of 1,700 servers and 24,000 laptops. Its insurer has denied coverage because the policy contained the Hostile/Warlike Action Exclusion. The case is pending in state court in Illinois and no decisions have yet been rendered.

The second prominent litigation is Merck & Co., Inc. v. ACE Am. Ins. Co., et al.,[4] The pharmaceutical giant Merck suffered a widespread systemic failure caused by NotPetya. Operations were halted for two weeks, and Merck asserts it suffered more than $1.4 billion in damages. It had nearly three dozen insurers on all-risk property policies providing coverage for loss or damage resulting from the destruction or corruption of computer data and software. The insurers rejected Merck’s claims based on the Hostile/Warlike Action Exclusion.

On January 13, 2022, the lowest-level state court in New Jersey rendered its decision. It said it was interpreting the words of the Hostile/Warlike Actions Exclusion by their “ordinary meaning.” It said that the term “warlike” could only be interpreted as “like war.” This is consistent with the definition in the Oxford English Dictionary, which also defines “hostile” as “of, pertaining to, or characteristic of an enemy, pertaining to or engaged in actual hostilities.” Merck argued this meant that the Exclusion only applied when armed forces engaged in traditional warfare. The Court agreed. It cited to a few old cases, and said that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.” Based on this logic, it held “Merck had every right to anticipate that the exclusion only applied to traditional forms of warfare.” Thus, it held the Exclusion did not apply.

This decision is subject to robust criticism. It is true that the Exclusion had never been applied to a cyberattack – but no court had ever been presented with the issue. Further, the Court did not analyze the term “hostilities,” which is inherent in the definition of “hostile.” There are numerous sources of authority in various contexts that broaden the term far beyond conventional war by armed forces. Moreover, contemporary military doctrine in the United States and several other advanced nations recognizes cyberspace as a domain of warfare and conflict. Finally, there is general consensus that cyber activities are subject to the international Law of Armed Conflict, which is the proper term for what is generally called “War Law.” For these reasons, this case should not be considered authoritative. It may not withstand appeal. And even if it does, courts in other states have no obligation to follow it.

In addition, the case could clearly be distinguished based on the facts of the current conflict. Russia and Ukraine are involved in an actual war, with bullets and bombs. If they were also to deploy destructive cyber weapons against each other, War Exclusions would clearly apply. And if outside groups were to deploy destructive cyber weapons in support of one of the nations, with extensive collateral damage outside the physical theatre of conflict, there is a substantial argument that they too should fall within War Exclusions.

Analytical Framework

As of the time this Paper is being written, Merck is the only known decision construing War Exclusions in the context of a cyberattack by any nation, under any type of policy. There are countless variations in the types of cyberattacks and the applicable language of War Exclusions. Thus, the question is wide open, requiring detailed analysis on a case-by-case basis.

There are four central areas of analytical inquiry. First, is a given cyberattack covered at all by the particular property and casualty policy at issue? Next, what is the nature of effect of the cyberattack? Third, what is the nature of the threat actor launching the cyberattack? And fourth, what is the nature of the victim?

Often, the answers to these questions will not be clear. But the best answers available must be examined under the case law of a given US state. The case law on War Exclusions is sparse and not especially illuminating, and general insurance coverage law varies across states. Thus, determining whether to enforce a War Exclusion is much more art than science, and judgments are required.

Is the Cyberattack Covered at All?

The essential first step is to determine whether the loss caused by the cyberattack falls within covered risks contemplated by the policy. This is a function of:

  • How cyber risks are treated in the policy. What grants, extensions and exclusions might apply?
  • In the absence of policy provisions, is there “silent cyber” or “non-affirmative cyber” coverage?

Property and casualty policies treat cyber risks in various ways. In current policies, it is very rare to have no language addressing cyber risks at all. Instead, most have express coverage grants, extensions or exclusions. Many of these are ISO forms or ISO-derived forms. Merely by way of example, these include, among other forms:

  • an Extension for Interruption of Computer Operations Due to Destruction or Corruption of Electronic Data;
  • an Extension for Replacement or Restoration of Electronic Data;
  • a definition of Business Income and Extra Expense coverage which includes Interruption of Computer Operations; and
  • Inland Marine policies with an Electronic Data Processing Coverage Form.

In addition, Exclusions for Access or Disclosure of Confidential or Personal Information and Data-Related Liability are fairly common.

Apart from forms such as these, in theory policies could be found to afford silent or non-affirmative coverage for a range of cyber risks. These include commonly understood risks such as First-Party Cyber Property Loss and Network Disruption (including Business Interruption and Contingent or Dependent Business Interruption) and Ransomware and Cyber Extortion.

In theory policies could also be found to cover less commonly understood or addressed cyber risks. These include the following:

Third-Party Cyber Physical Events, which are cyber-related events resulting in damage or injury to third parties. This could include damage to data, software, hardware, and computer systems, and also other types of property damage and bodily injury.

IoT Risks, which refers to devices connected to the Internet that fail or malfunction. They can cause first- or third-party property damage or bodily injury.

Industrial Cyber Risks, which are related to but different from IoT Risks. They arise from electronic interference, Internet-based or otherwise, with an Industrial Control System (“ICS”) or a Supervisory Control and Data Acquisition (“SCADA”) System. These are systems used to monitor and control plants or equipment. They present special challenges of interpretation and causation. If these systems are compromised, they can be used to destroy production equipment. For example, they might cause a generator or turbine to rotate too quickly and damage or destroy property. The equipment itself could be destroyed. The loss could cascade because equipment around it could be damaged as it breaks apart. So the damage is not merely to the equipment, but from the damaged equipment, causing further damage to other equipment or property. And the loss could be aggravated by third-party property damage and bodily injury.

Upon making the determination that there might be coverage under the policy, the analysis proceeds to the next questions.

What is the Nature and Effect of the Cyberattack?

The key questions are:

  • Is it “hostile” or “warlike” as commonly understood?
  • Is the effect “kinetic,” e., are there physical effects similar to those produced by bullets and bombs?
  • If the effects are not kinetic, do they cause widespread or severe economic damage, impair critical infrastructure, impair the government’s ability to provide essential services, or have similar gravity?

Modern policies do not focus on whether a war has been declared, or whether there has been an “act of war.” Instead, they focus on the nature and source of the attack, and its effect.

Since at least 2012, the position of the United States government has been that “cyber activities that proximately result in death, injury or significant destruction would likely be viewed as a use of force.” Use of force is understood to refer to the prohibition in Article 2(4) of the United Nations Charter, which prohibits the use of force against the territorial integrity or political independence of any state.[5]

Thus, it is highly likely that a cyberattack would be construed as “hostilities,” “war” or “warlike operations” when it has kinetic effects, i.e., it has the same effects as bullets and bombs, hurting people and breaking things.

Beyond that, without specific policy language, the courts will be faced with unresolved “questions of first impression.” Some of the other circumstances in which War Exclusions are most likely to apply are when the effects of the cyberattack are widespread and severe, and when it results in significant disruption of the availability or integrity of essential services, such as:

  • computer networks and information systems;
  • the Internet;
  • financial institutions and financial market infrastructure, especially if there are significant economic losses;
  • health services;
  • utilities; and
  • other components of critical infrastructure and essential services.

War Exclusions could also be applied to a cyberattack causing loss or damage resulting from an impairment of functioning of the government, including the nation’s security or defense.

It is reasonable to assume these effects could trigger War Exclusions even in the absence of specific language. But insurers would be well-advised to add express language addressing them.

What is the Nature of the Threat Actor?

Is the Threat Actor:

  • Russia or Ukraine?
  • A group officially or in reality connected to, controlled by, or acting at the request of Russia or Ukraine?
  • An independent group voluntarily aligning with Russia or Ukraine?

One of the challenging technical issues in cybersecurity has been accurately identifying the source of a cyberattack. This is called “Attribution.” While challenging, it is not impossible. For example, the NotPetya attack was attributed to the Sandworm group working within Russia’s military intelligence organization, the GRU, by each of the “Five-Eyes Intelligence Alliance”– the United States, the United Kingdom, Australia, Canada and New Zealand – as well as by Denmark, Finland, Latvia, and Sweden. In the context in the Russia-Ukraine conflict, there is a substantial possibility that governments would again make attributions.

Even without government attributions, many of the same resources used by governments to make attributions are equally available to private companies. An example is the cybersecurity forensic firm CrowdStrike, and others of similar caliber. In fact, they are at times relied on by governments themselves.

It is extremely likely that Russia would be the nation launching a direct cyberattack on the West, either targeting a specific entity, or using malware designed to spread. For cyberattacks from Ukraine, there would be some risk of inadvertently sending an exploit into the wild. But in either case, virtually every government, cybersecurity forensic firm, and hacker collective will be joining the effort to identify the source, so reliable attributions are likely to be possible.

Additional threats come from groups of “non-state actors” who are de jure or de facto agents of one of the nations in conflict. Much is known about the threat signatures and characteristics of many of these groups, so again reliable attributions may be possible. Indeed, some groups have declared their allegiance openly.[6]

Where the attacker is a nation or an affiliated non-state entity, most cyberattacks would likely fall within War Exclusions. For non-state entities, of course, it would help if the Exclusion expressly contained language such as “by a state … or those acting on its behalf”, or “those acting at its direction,” or “by an agent of,” or similar terms. But a substantial argument could be made that those words are not required. Once again, there is no case law directly on point in the cyber context, so this is a question of first impression.

An additional area of inquiry is whether the non-state actor is a Russian ransomware gang or other entity that was made subject to sanctions by the United States Treasury Department’s Office of Foreign Asset Control (“OFAC”), either before or as a consequence of the invasion. This would have two effects. First, even if an insurer wanted to pay a ransomware demand, it would be illegal to do so. Second, it would strengthen the position that the cyber attacker was sufficiently close to the Russian government that War Exclusions should be enforced.

There is another gray area. What if a non-affiliated hacker group such as Anonymous launches an attack against Russia that inadvertently spreads to other countries? Novel and complex questions would arise about whether it had the type of relationship with one of the combatants that is necessary under most current War Exclusions, or whether it could be characterized as a “unprivileged belligerent” in a war.

What is the Nature of the Victim?

Is the victim:

  • An insured that was directly targeted?
  • An insured hit by a cyberattack deliberately designed to spread to other networks?
  • An insured that was “collateral damage” in a cyberattack that went into the wild?

Finally, the nature of the victim will be a factor in whether War Exclusions apply to a given cyberattack. If the victim is directly targeted by the cyber attacker, there should be little doubt about the applicability of War Exclusions. It is possible that some would raise questions if the victims were not physically located in Russia or Ukraine. But as noted, advanced countries recognize cyberspace as a military domain. That domain has no physical boundaries, and a thoughtful court should recognize that.

The most likely entities to be directly targeted are banks, IT and Internet service companies, utilities, shipping companies and mobile phone network operators.

If the victim was struck by an attack deliberately intended to spread, a strong case for enforcing War Exclusions could also be made, because the loss would likely be considered to result from what is substance was a direct cyberattack. But one scenario may raise additional issues. What if the cyberattack goes into the wild and inadvertently spreads to an insured’s system, so that the loss is more remote than those from the original attack? There is no clear authority here, and most policies have not addressed this. One of the new LMA War, Cyber War and Cyber Operation Exclusions (which are discussed below) does address it, by providing an exception to the exclusion for the direct or indirect effect of a cyber operation on a “bystander cyber asset.” That term is defined as “á computer system used by an insured or its third party service providers that is not physically located in an impacted state but is affected by a cyber operation.”[7] An “impacted state” is defined as “any state where a cyber operation has had a major detrimental impact on the functioning of that state and/or security or defense of that state.” Under this language, at least some losses from collateral damage are not excluded – those suffered by an entity in a state that was not heavily affected by the cyberattack.

Updated War Exclusions

Given the many potential open issues described above, insurers may wish to review the treatment of cyberattacks under War Exclusions for all their lines of business.

Standalone cyber insurers have been working on this problem for years, trying to address it fairly, while avoiding the danger of catastrophic aggregation. They have started to put forth proposals. In a significant effort, in late 2021 the Lloyd’s Market Association released four “War, Cyber War and Cyber Operation Exclusions.” (“LMA Exclusions”) They were designed for use in standalone cyber policies, and attempt to address and thus provide clarity on several of the most vexing issues. The LMA Exclusions are described in detail in a Briefing Note prepared by this author.[8]

Although the LMA Exclusions were designed for standalone cyber insurance policies, several of their concepts and elements merit consideration when reviewing and updating War Exclusions in policies is other lines of business.

Conclusion

The application of War Exclusions is not an exercise involving certainty derived from immutable facts. Rather the determination is a judgment, based on an evaluation of often incomplete facts in an uncertain legal context, made by people – claims executives, their legal advisors, and ultimately judges. The coming weeks, months, and years may require many such judgments.

*This content was originally published on Gfeller Laurie’s webiste. It is used here with permission

[1] Stuart Madnick, What Russia’s Ongoing Cyberattacks in Ukraine Suggest About the Future of Cyber Warfare, Harvard Business Review, March 7, 2022.

[2] Christopher Mims, The Russia-Ukraine Cyberwar Could Outlast the Shooting War, The Wall Street Journal, March 5, 2022.

[3] No. 2018-L-011008 (Ill. Cir. Ct. Oct 10, 2018).

[4] No. UNN-L-002683-18, (N.J. Super. Ct. Law Div. Aug 2, 2018).

[5] More elaboration of the international law framework is contained in Vincent J. Vitkowsky, War, Terrorism, and Hactivism Under Cyber Insurance Policies, September 2014, available here and Vincent J. Vitkowsky, War Exclusions and Cyber Threats from States and State-Sponsored Hackers, May 2017, available here.

[6] An interesting incident involves the Conti ransomware gang. On February 25, 2022, in a tweet, Conti said it is “officially announcing a full support of Russian government.” It said if anyone organized a cyberattack or any war activities against Russia, it would “use our all possible resources to strike back at the critical infrastructure on an enemy.” One of its members, believed to be Ukrainian with a different point of view, leaked a massive amount of information from Conti’s internal chats and business records. Law enforcement and cyber researchers have found the leak to be extremely valuable. The gang’s leadership later tried to make a more neutral statement.

[7] Here, the LMA Exclusions use the international term “state” to refer to nations.

[8] Vincent J. Vitkowsky, Briefing Note on the New LMA War, Cyber War and Cyber Operation Exclusions for Cyber Insurance Policies, December 2021, available here.

Topics
Russia
Property Casualty
Ukraine

Tags: Amazon Business Credit Card, American Airlines Business Class, Att Business Login, Austin Business Journal, Best Bank For Small Business, Best Business Bank Accounts, Best Business Schools In Us, Best Business To Start, British Airways Business Class, Business Attire Men, Business Card Ideas, Business Casual Shoes For Women, Business Continuity Planning, Business Entity Search, Business Letter Template, Business Management Degree, Business Manager Facebook, Business Plan Outline, Business School Rankings, Colorado Business Search, Delaware Business Entity Search, Drop Shipping Business, Family Business Bet, Fox Business Live, Georgia Sos Business Search, Google Business Account, Harvest Small Business Finance, How To Build Business Credit, Is Saturday A Business Day, Is Sears Still In Business, Microsoft 365 Business, My Business Google, Name Generator Business, None Of Your Business, Ny Sos Business Search, Open A Business Bank Account, Pa Business Search, Plus Size Business Casual, Pnc Business Banking, Sos Business Search Ca, Sunbiz Business Search, Taking Care Of Business, The Business Of Being Born, Turbotax Home And Business 2020, Tx Sos Business Search, Venmo For Business, Verizon Business Plans, Virtual Address For Business, What Are Business Days, Women Business Casual

Continue Reading

Previous Centerbridge and Realogy Launch Title Insurance Underwriting Joint Venture: Title Resources Group
Next P-O parents threaten district, make demands regarding pandemic measures | News

More Stories

  • Insurance News

Alliant National names national production manager | News

4 hours ago magenet
  • Insurance News

West Bayers call for Caymanianization of tourism

5 days ago magenet
  • Insurance News

Building Links that Boost SERPs

6 days ago magenet

Recent Posts

  • Those Who Wish Me Dead (Original Motion Picture Soundtrack) Available on WaterTower Music May 7
  • Alliant National names national production manager | News
  • Wp.sql At Master. ParalelniPolis
  • Florida Men Sentenced for PPP Loan Fraud Scheme
  • Israeli milk alternatives startup Imagindairy raises $15m

Archives

  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • December 2016

Categories

  • Business
  • Business Insurance
  • Business News
  • General
  • Insurance News
  • Sky Business
  • Upi News

Visit Now

All In One Desktop Computer

BL

LP

TL

Intellifluence Trusted Blogger

promo toyota malang

You may have missed

  • Sky Business

Those Who Wish Me Dead (Original Motion Picture Soundtrack) Available on WaterTower Music May 7

3 hours ago magenet
  • Insurance News

Alliant National names national production manager | News

4 hours ago magenet
  • Business News

Wp.sql At Master. ParalelniPolis

5 hours ago Marna
Florida Men Sentenced for PPP Loan Fraud Scheme
  • General

Florida Men Sentenced for PPP Loan Fraud Scheme

6 hours ago magenet
  • Business News

Israeli milk alternatives startup Imagindairy raises $15m

6 hours ago magenet
ymlp201.net All rights reserved. | CoverNews by AF themes.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT