Testing: The War Exclusion Rule in Cyberinsurance [Part 1]

Case:  Merck & Co. Inc. vs. Ace American Insurance Co. et al., N.J. Super. Ct., No. L-002682-18, summary judgment 1/13/22.

As Russia continues its invasion of Ukraine, cybersecurity experts are watching to see if the country will test a clause commonly found in cyber insurance policies that exclude damages caused by acts of war. If successful, this could set a dangerous precedent for future attacks. Cyber insurance is a growing industry, and many companies have started to include these clauses in their policies. However, there is still a lot of uncertainty about how they will be interpreted in the event of an attack. So far, the damage from the Russian cyberattacks has been relatively minor, but this could change if the attacks become more sophisticated. In any case, it will be essential to watch how these policies are tested in the coming months.

Cyber insurance policies have been around for a while, but they have been thrust into the spotlight in recent years as cyberattacks have become more common. One of the issues that have come up concerning these attacks is the so-called “war exclusion” and “hostile act exclusion” language that is often found in cyber insurance policies. This language has a long history in other types of insurance coverage, but cyber attacks present many grey areas. Lawyers have been debating the impact of this language on cyber insurance policies, and it is still not clear how these clauses will be interpreted in the event of a large-scale cyberattack.

NotPetya, a 2017 wiper attack that caused billions of dollars of damage and has been linked to Russian hackers, pushed many insurance providers to clarify their language around what is and isn’t covered. The attack has been linked to Russian hackers. Some cybersecurity experts believe it was a test for language commonly used in cyber insurance policies that exclude damages caused by acts of war. 

As a result of the attack, New Jersey Superior Court Judge Thomas J. Walsh ruled on Jan. 13 that Merck’s insurers can’t claim the war exclusion because its language is meant to apply to armed conflict. The ruling noted that insurers didn’t change the war language to put companies like Merck “on notice” that cyberattacks wouldn’t be covered, despite a trend of attacks by countries like Russia hitting private sector companies. This case is just one example of how cyberattacks are putting cyber insurance policies to the test. Many experts believe that we will see more of these issues in the future as cyberattacks become more common.

Cybersecurity is constantly evolving, and with that comes new challenges for companies regarding insurance. Russia’s invasion of Ukraine has been linked to numerous cyberattacks. If these attacks are excluded from coverage under existing policies, it could have a significant impact on businesses that have been affected. As the conflict between Russia and Ukraine continues, cybersecurity professionals are on high alert for potential cyberattacks, which may be a test case for insurers.

PART 2: Maybe I’ll write a bit more about cyberwarfare?