The Russian invasion of Ukraine may result in cyberattacks causing widespread and severe losses in Ukraine and beyond.
Even before the current invasion, some Russian cyberattacks aimed at Ukraine spread to other nations. The most prominent of these was the NotPetya attack in 2017.
NotPetya was the name given to a strain of one of the most destructive types of malware, known as “Wiper” malware, which is designed to functionally destroy computers by wiping their contents completely. It was designed to spread to other computer networks, and did. It caused an estimated $10 billion in losses throughout the world. (NotPetya will be discussed in greater detail later in this article.)
The current threat matrix is multidimensional. Russia may intentionally target companies in the United States, Europe, Australia, Japan and elsewhere, in response to support given to Ukraine, and in retaliation for the economic sanctions that have been imposed.
If the war drags on or escalates, Russia may seek tactical or strategic benefit by increasing the overall level of distress in other nations.
After the conflict ends, however it ends, Russia will be the object of extreme resentment and suspicion. It may launch cyberattacks to increase disorder, believing that an environment of disorder would best serve its position as a significant power.
In addition to the nations in conflict, cyberattacks could be launched by groups affiliated with them, as well as independent groups sympathetic to one of them.
Cybersecurity analytics firms estimate that approximately 10 hacking groups are currently assisting Russia. And Ukraine has publicly called for an international “IT army” of volunteer hacker groups. It is estimated there are at least 22 such groups currently assisting Ukraine.
The threat is enhanced by the increased availability of “zero click vulnerabilities.” These are cyberattacks that can enter networks without the victims doing anything, such as clicking on a link, or without using compromised credentials. They include vulnerabilities such as Solarwinds, Log4j and Pegasus. Compounding this threat, researchers have discovered a Russian cyberweapon called HermeticWizard, which is a new strain of software designed to autonomously spread another strain, HermeticWipe, to other computers in a network. That is, it has capacities similar to the NotPetya malware.
Even without intentional design, malware can break “into the wild,” infecting other networks and causing the kind of “collateral damage” to innocent parties that is a feature of traditional warfare.
Property/casualty insurers face potential exposure to losses from cyberattacks that directly target or indirectly reach their insureds in the United States and elsewhere in the world. This article addresses the extent to which War Exclusions may mitigate that exposure.
Modern ‘War Exclusions’
The term “War Exclusion” is a misnomer. Over the years, War Exclusions have come to apply to much more than traditional war between sovereign nations. There are countless variations in title, language and the scope of coverage in provisions used by different insurers, and in different lines of business. Several exclusions are used broadly. Others are bespoke. Yet with this understanding, for ease of reference, when referring to these provisions in general or collectively, this article will use the term “War Exclusions.”
Any analysis of the issues addressed must focus on the specific War Exclusion at issue.
Some of the frequently used terms and phrases used in War Exclusions of potential relevance here include the following: war; hostilities; warlike operations (whether declared or not); military operations; military or usurped power; damage to property by or under the order of any government; acts of foreign enemies; any action taken to hinder or defend against these events, [or alternatively]; and action in hindering or defending against an actual or expected attack by any government, sovereign or other authority using military personnel or other agents.
There is one commonly used form of special interest, because it appears in many all-risk property policies that might be implicated in cyber losses. It is at issue in the two prominent pending litigations described below. It provides in relevant part as follows.
Hostile/Warlike Action Exclusion
Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combatting, or defending against an actual, impending, or expected attack:
- by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval or air forces;
- or by military, naval, or air forces; or by an agent of such government, power, authority or forces.
- This policy does not insure against loss or damage caused by or resulting from [the perils in the Exclusion above] regardless of any other cause or event contributing concurrently or in any other sequence to the loss.
Current Prominent Litigation
Both of the prominent cases currently in litigation address the application of the Hostile/Warlike Action Exclusion to cyberattacks. Both arose out of the NotPetya cyberattack in 2017.
In the NotPetya cyberattack, Russia sent malware to at least several dozen Ukrainian companies. It was disguised as ransomware, similar at first view to an earlier ransomware attack called Petya.
But the new strain was really “wiperware.” That is, it automatically encrypted the victim’s data, permanently and inalterably. Essentially, it obliterated the data in the victim’s systems. It was designed to spread to other networks automatically, rapidly and indiscriminately, and it spread throughout the world. It was so indiscriminate that it infected the network of the Russian state oil company, Rosneft.
It is estimated that NotPetya caused approximately $10 billion in losses, including more than $1 billion in losses to three separate organizations in the United States.
The first prominent litigation is Mondelez Int’l, Inc. v. Zurich Am Ins, Co., in which an American confectionary, food and beverage company asserts it suffered over $100 million in damages because of the loss of 1,700 servers and 24,000 laptops. Its insurer denied coverage because the policy contained the Hostile/Warlike Action Exclusion. The case is pending in state court in Illinois and no decisions have yet been rendered.
The second prominent litigation is Merck & Co., Inc. v. ACE Am. Ins. Co., et al. The pharmaceutical giant Merck suffered a widespread systemic failure caused by NotPetya. Operations were halted for two weeks, and Merck asserts it suffered more than $1.4 billion in damages. It had nearly three dozen insurers on all-risk property policies providing coverage for loss or damage resulting from the destruction or corruption of computer data and software. The insurers rejected Merck’s claims based on the Hostile/Warlike Action Exclusion.
On Jan. 13, 2022, the lowest-level state court in New Jersey rendered its decision. It said it was interpreting the words of the Hostile/Warlike Actions Exclusion by their “ordinary meaning.” It said that the term “warlike” could only be interpreted as “like war.” This is consistent with the definition in the Oxford English Dictionary, which also defines “hostile” as “of, pertaining to, or characteristic of an enemy, pertaining to or engaged in actual hostilities.” Merck argued this meant that the exclusion only applied when armed forces engaged in traditional warfare.
The court agreed. It cited a few old cases and said that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.” Based on this logic, it held “Merck had every right to anticipate that the exclusion only applied to traditional forms of warfare.” Thus, it held the exclusion did not apply.
This decision is subject to robust criticism. It is true that the exclusion had never been applied to a cyberattack — but no court had ever been presented with the issue. Further, the court did not analyze the term “hostilities,” which is inherent in the definition of “hostile.” There are numerous sources of authority in various contexts that broaden the term far beyond conventional war by armed forces.
Moreover, contemporary military doctrine in the U.S. and several other advanced nations recognizes cyberspace as a domain of warfare and conflict. Finally, there is general consensus that cyber activities are subject to the international Law of Armed Conflict, which is the proper term for what is generally called “War Law.” For these reasons, this case should not be considered authoritative. It may not withstand appeal. Even if it does, courts in other states have no obligation to follow it.
In addition, the case could clearly be distinguished based on the facts of the current conflict. Russia and Ukraine are involved in an actual war, with bullets and bombs. If they were also to deploy destructive cyber weapons against each other, War Exclusions would clearly apply. And if outside groups were to deploy destructive cyber weapons in support of one of the nations, with extensive collateral damage outside the physical theatre of conflict, there is a substantial argument that they too should fall within War Exclusions.
As of the time this is being written, Merck is the only known decision construing War Exclusions in the context of a cyberattack by any nation, under any type of policy. There are countless variations in the types of cyberattacks and the applicable language of War Exclusions. Thus, the question is wide open, requiring detailed analysis on a case-by-case basis.
There are four central areas of analytical inquiry. First, is a given cyberattack covered at all by the particular property/casualty policy at issue? Next, what is the nature of effect of the cyberattack? Third, what is the nature of the threat actor launching the cyberattack? And fourth, what is the nature of the victim?
Often, the answers to these questions will not be clear. But the best answers available must be examined under the case law of a given U.S. state. The case law on War Exclusions is sparse and not especially illuminating, and general insurance coverage law varies across states. Thus, determining whether to enforce a War Exclusion is much more art than science, and judgments are required.
Is the Cyberattack Covered at All?
The essential first step is to determine whether the loss caused by the cyberattack falls within covered risks contemplated by the policy. This is a function of:
- How cyber risks are treated in the policy. What grants, extensions and exclusions might apply?
- In the absence of policy provisions, is there “silent cyber” or “non-affirmative cyber” coverage?
Property/casualty policies treat cyber risks in various ways. In current policies, it is very rare to have no language addressing cyber risks at all. Instead, most have express coverage grants, extensions or exclusions. Many of these are ISO forms or ISO-derived forms. Merely by way of example, these include, among other forms:
- an Extension for Interruption of Computer Operations Due to Destruction or Corruption of Electronic Data;
- an Extension for Replacement or Restoration of Electronic Data;
- a definition of Business Income and Extra Expense coverage which includes Interruption of Computer Operations; and
- Inland Marine policies with an Electronic Data Processing Coverage Form.
In addition, Exclusions for Access or Disclosure of Confidential or Personal Information and Data-Related Liability are fairly common.
Apart from forms such as these, in theory, policies could be found to afford silent or non-affirmative coverage for a range of cyber risks. These include commonly understood risks such as First-Party Cyber Property Loss and Network Disruption (including Business Interruption and Contingent or Dependent Business Interruption) and Ransomware and Cyber Extortion.
In theory, policies could also be found to cover less commonly understood or addressed cyber risks. These include the following:
- Third-Party Cyber Physical Events, which are cyber-related events resulting in damage or injury to third parties. This could include damage to data, software, hardware, and computer systems, and also other types of property damage and bodily injury.
- IoT Risks, which refers to devices connected to the Internet that fail or malfunction. They can cause first- or third-party property damage or bodily injury.
- Industrial Cyber Risks, which are related to but different from IoT Risks. They arise from electronic interference, Internet-based or otherwise, with an Industrial Control System (“ICS”) or a Supervisory Control and Data Acquisition (SCADA) System. These are systems used to monitor and control plants or equipment. They present special challenges of interpretation and causation. If these systems are compromised, they can be used to destroy production equipment. For example, they might cause a generator or turbine to rotate too quickly and damage or destroy property. The equipment itself could be destroyed. The loss could cascade because equipment around it could be damaged as it breaks apart. So the damage is not merely to the equipment, but from the damaged equipment, causing further damage to other equipment or property. And the loss could be aggravated by third-party property damage and bodily injury.
Upon making the determination that there might be coverage under the policy, the analysis proceeds to the next questions.
What is the Nature and Effect of the Cyberattack?
The key questions are:
- Is it “hostile” or “warlike” as commonly understood?
- Is the effect “kinetic,” are there physical effects similar to those produced by bullets and bombs?
- If the effects are not kinetic, do they cause widespread or severe economic damage, impair critical infrastructure, impair the government’s ability to provide essential services, or have similar gravity?
Modern policies do not focus on whether a war has been declared, or whether there has been an “act of war.” Instead, they focus on the nature and source of the attack, and its effect.
Since at least 2012, the position of the U.S. government has been that “cyber activities that proximately result in death, injury or significant destruction would likely be viewed as a use of force.” Use of force is understood to refer to the prohibition in Article 2(4) of the United Nations Charter, which prohibits the use of force against the territorial integrity or political independence of any state.
Thus, it is highly likely that a cyberattack would be construed as “hostilities,” “war” or “warlike operations” when it has kinetic effects, i.e., it has the same effects as bullets and bombs, hurting people and breaking things.
Beyond that, without specific policy language, the courts will be faced with unresolved “questions of first impression.”
Some of the other circumstances in which War Exclusions are most likely to apply are when the effects of the cyberattack are widespread and severe, and when it results in significant disruption of the availability or integrity of essential services, such as: computer networks and information systems; the internet; financial institutions and financial market infrastructure, especially if there are significant economic losses; health services; utilities; and other components of critical infrastructure and essential services.
War Exclusions could also be applied to a cyberattack causing loss or damage resulting from an impairment of functioning of the government, including the nation’s security or defense.
It is reasonable to assume these effects could trigger War Exclusions even in the absence of specific language. But insurers would be well-advised to add express language addressing them.
What is the Nature of the Threat Actor?
Is the threat actor:
- Russia or Ukraine?
- A group officially or in reality connected to, controlled by, or acting at the request of Russia or Ukraine?
- An independent group voluntarily aligning with Russia or Ukraine?
One of the challenging technical issues in cybersecurity has been accurately identifying the source of a cyberattack. This is called “Attribution.” While challenging, it is not impossible. For example, the NotPetya attack was attributed to the Sandworm group working within Russia’s military intelligence organization, the GRU, by each of the “Five-Eyes Intelligence Alliance” — the United States, the United Kingdom, Australia, Canada and New Zealand — as well as by Denmark, Finland, Latvia and Sweden. In the context of the Russia-Ukraine conflict, there is a substantial possibility that governments would again make attributions.
Even without government attributions, many of the same resources used by governments to make attributions are equally available to private companies. An example is the cybersecurity forensic firm CrowdStrike, and others of similar caliber. In fact, they are at times relied on by governments themselves.
It is extremely likely that Russia would be the nation launching a direct cyberattack on the West, either targeting a specific entity, or using malware designed to spread. For cyberattacks from Ukraine, there would be some risk of inadvertently sending an exploit into the wild. But in either case, virtually every government, cybersecurity forensic firm, and hacker collective will be joining the effort to identify the source, so reliable attributions are likely to be possible.
Additional threats come from groups of “non-state actors” who are de jure or de facto agents of one of the nations in conflict. Much is known about the threat signatures and characteristics of many of these groups, so again reliable attributions may be possible. Indeed, some groups have declared their allegiance openly.
Where the attacker is a nation or an affiliated non-state entity, most cyberattacks would likely fall within War Exclusions. For non-state entities, of course, it would help if the exclusion expressly contained language such as “by a state … or those acting on its behalf,” or “those acting at its direction,” or “by an agent of,” or similar terms. But a substantial argument could be made that those words are not required.
Once again, there is no case law directly on point in the cyber context, so this is a question of first impression.
An additional area of inquiry is whether the non-state actor is a Russian ransomware gang or other entity that was made subject to sanctions by the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC), either before or as a consequence of the invasion. This would have two effects.
First, even if an insurer wanted to pay a ransomware demand, it would be illegal to do so. Second, it would strengthen the position that the cyber attacker was sufficiently close to the Russian government that War Exclusions should be enforced.
There is another gray area. What if a non-affiliated hacker group such as Anonymous launches an attack against Russia that inadvertently spreads to other countries? Novel and complex questions would arise about whether it had the type of relationship with one of the combatants that is necessary under most current War Exclusions, or whether it could be characterized as a “unprivileged belligerent” in a war.
What Is the Nature of the Victim?
Is the victim:
- An insured that was directly targeted?
- An insured hit by a cyberattack deliberately designed to spread to other networks?
- An insured that was “collateral damage” in a cyberattack that went into the wild?
Finally, the nature of the victim will be a factor in whether War Exclusions apply to a given cyberattack. If the victim is directly targeted by the cyber attacker, there should be little doubt about the applicability of War Exclusions. It is possible that some would raise questions if the victims were not physically located in Russia or Ukraine. But as noted, advanced countries recognize cyberspace as a military domain. That domain has no physical boundaries, and a thoughtful court should recognize that.
The most likely entities to be directly targeted are banks, IT and internet
service companies, utilities, shipping companies and mobile phone network operators.
If the victim was struck by an attack deliberately intended to spread, a strong case for enforcing War Exclusions could also be made, because the loss would likely be considered to result from a direct cyberattack.
But one scenario may raise additional issues. What if the cyberattack goes into the wild and inadvertently spreads to an insured’s system, so that the loss is more remote than those from the original attack? There is no clear authority here, and most policies have not addressed this.
One of the new LMA War, Cyber War and Cyber Operation Exclusions (which are discussed below) does address it, by providing an exception to the exclusion for the direct or indirect effect of a cyber operation on a “bystander cyber asset.” That term is defined as “a computer system used by an insured or its third party service providers that is not physically located in an impacted state but is affected by a cyber operation.” An “impacted state” is defined as “any state where a cyber operation has had a major detrimental impact on the functioning of that state and/or security or defense of that state.” Under this language, at least some losses from collateral damage are not excluded — those suffered by an entity in a state that was not heavily affected by the cyberattack.
Updated War Exclusions
Given the many potential open issues described above, insurers may wish to review the treatment of cyberattacks under War Exclusions for all their lines of business.
Standalone cyber insurers have been working on this problem for years, trying to address it fairly, while avoiding the danger of catastrophic aggregation.
They have started to put forth proposals. In a significant effort, in late 2021 the Lloyd’s Market Association released four “War, Cyber War and Cyber Operation Exclusions.” (LMA Exclusions) They were designed for use in standalone cyber policies, and attempt to address and thus provide clarity on several of the most vexing issues.
Although the LMA Exclusions were designed for standalone cyber insurance policies, several of their concepts and elements merit consideration when reviewing and updating War Exclusions in policies for other lines of business.
The application of War Exclusions is not an exercise involving certainty derived from immutable facts. Rather the determination is a judgment based on an evaluation of often incomplete facts in an uncertain legal context, made by people — claims executives, their legal advisors, and ultimately judges. The coming weeks, months, and years may require many such judgments.