By: Jason Koehn and Becca Brett
Today’s cyber landscape is marked by sophisticated threat actors launching more frequent and costlier attacks. In 2024, the global average cost to an organization impacted by a cyber breach was $4.8 million. Unsurprisingly, organizations are prioritizing cyber insurance to mitigate financial exposure to cyberattacks by offsetting incident response and recovery costs. A critical caveat, however, are cyber war exclusion clauses that allow insurers to sidestep liability for losses resulting from cyberattacks deemed to be acts of war. If triggered, cyber war exclusion clauses could leave policyholders without critical-incident-response support, while requiring affected entities to bear substantial out-of-pocket expenses for business disruptions, property damage, and ransomware payments. Thresholds for invoking cyber war exclusion clauses remain inconsistent, creating ambiguity for policyholders and insurers. Such ambiguity is particularly worrisome given recent state-sponsored cyberattacks against US-critical infrastructure, rising geopolitical tensions, and blurred lines between war and conflict.
Insurance brokers and policyholders struggle to define and standardize criteria for incidents that might trigger cyber war exclusions. Historically, insurance brokers attempted to include cyberattacks under traditional war exclusion clauses to avoid liability. In 2023, the case Merck & Co. v. ACE Am. Ins. Co. examined this inclusion after a cyberattack infected thousands of Merck computers with malware known as NotPetya (Merck & Co. v. ACE 2023, 535, 540). Merck’s insurers denied coverage for losses based on war exclusion clauses in their agreements (Merck & Co. v. ACE 2023, 540). Merck responded by filing in court, alleging that the NotPetya cyberattacks were not covered under traditional war exclusion clauses. The court agreed with Merck, finding that “similar exclusions have never been applied outside the context of a clear war or concerted military action” (Merck & Co. v. ACE 2023, 547).
After the Merck case, the insurance industry, led by market leader Lloyd’s, sought to clarify the applicability of cyber war exclusion clauses. In 2023, Lloyd’s published a bulletin requiring that all future insurance agreements:
- exclude losses arising from state-backed cyberattacks that significantly impair the ability of a state to function or significantly impair state-security capabilities.
- “set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states.”
While Lloyd’s guidelines provide general guidance, ambiguity in the clauses and lack of standardization across the industry remain. Definitive state attribution of a cyberattack is particularly divisive. In response to challenges of determining the authoritative entity responsible for attribution, many insurers have turned to the government where the affected system is located. Yet even for governments, credible public attribution of a cyberattack is often difficult due to the clandestine nature of cyberattacks and diplomatic motivations for concealing a state’s involvement. Increasingly blurred lines between cyber criminals and state-sponsored actors further obscure attribution efforts. For example, Russian state-sponsored hackers have outsourced cyber espionage operations targeting Ukraine to criminal groups. Additionally, state-sponsored actors often leverage many of the same information stealers, command-and-control frameworks, and tools as cybercriminals. The convergence of cybercrime and state-sponsored activity necessitates defined protocols that ensure clear evaluation methods for assessing nation-state involvement in cyberattacks.
It is also imperative to level-set the definition of war across the cyber insurance industry. War in this context is often understood as either a cyberattack carried out as part of a physical war or a state-sponsored cyberattack that causes “a major detrimental impact to the essential services required for the functioning of a sovereign state.” While progress has been made regarding the definition of war, “thresholds for reaching this state are less clear.” Modern wars are often fought in the “gray-zone” involving economic coercion, influence operations, cyberattacks, mercenary operations, and disinformation. While physical force between states might occur in such conflicts, it is often sporadic and lacks a clearly defined beginning or end. Consider the potential for great-power conflict between the United States and an adversary, where cyberattacks would play a central role, often commencing well-before any formal declaration of war. Determining if a cyberattack occurred during or in the lead-up to war is likely to prove difficult.
State-sponsored cyberattacks on US-critical infrastructure suggest that adversaries have the capability to cause “major detrimental impacts to essential services,” potentially reaching the threshold required to trigger cyber war exclusions. Recent cyberattacks by Chinese government-linked actors compromising US telecommunication companies and the US Department of the Treasury highlight the urgency of addressing ambiguities. Ambiguity in cyber war exclusion clauses poses legal risks as well. From an enforcement perspective, the lack of standardization in cyber war exclusion clauses will likely lead to fragmented judicial results when denials of coverage are challenged in court. Organizations that fail to proactively evaluate cyber-insurance coverage and understand nuances of cyber war exclusion clauses expose themselves to significant risk. Given the substantial consequences of widespread cyberattacks for all stakeholders, it is essential that policymakers, companies, and insurers collaborate to define the parameters of these critical clauses—before a crisis occurs, rather than in its aftermath.