23 December 2018

Cyber insurance - not worth the paper it's printed on?


Cyber-crime and cyber-attacks are amongst the biggest threats facing UK, and worldwide, businesses, and reports would suggest they are on the rise. In August 2018 over 215,000,000 records were leaked, including data from a Chinese hotel chain affecting up to 130,000,000 customers. In the UK the NHS was effectively crippled by the “WannaCry” ransomware attack in May 2017 which locked computers, encrypted files and demanded a payment in BitCoin. WannaCry attacks were directed at Russia’s Interior Ministry and the international shipper FedEX and Spanish telcom company Telfonica were among other high-profile targets.

In December 2017, the US and UK laid the blame for the attacks on North Korea. Governments used to be cautious about attribution in cyber-attacks but it is becoming increasingly common.

Increased Need For Coverage


An apparent increase in the proliferation of cyber-attacks which are alleged to be state sponsored raises some serious questions with regards to war and terrorism exclusion clauses in cyber insurance policies.

War exclusion clauses in insurance policies typically exclude coverage for acts of war; including but not limited to invasion, revolution and acts of terrorism. As most insurance companies would struggle to remain solvent if an act of war presented them with a deluge of claims, these exclusions are used in a multitude of insurance policies. Entities in areas faced with a significant risk of an act of war can purchase a separate war risk insurance policy, however this is rare in the generally peaceful UK and Europe, at least in the sense of ‘traditional’ acts of war.

Is Insurance Effective?

However, in the situation where state-sponsored cyber-attacks are a much greater risk, including in peaceful areas, to what extent is insurance against cyber-attacks effective? Could it be that these issues are declared as acts of terrorism?

An act of terrorism is defined under the Terrorism Act 2000 Section 1, under S1(2)(e) an action “designed to influence the government or an international governmental organisation…and the use or threat is made for the purpose of advancing a political, religious, racial or ideological cause…and it is designed seriously to interfere with or seriously disrupt an electronic system”. This definition would potentially cover many attacks, especially taking into account the S1(4)(a) which states that “action includes action outside the United Kingdom”

However, an insurer seeking to rely on an exclusion in a policy subject to English law would need to prove on the balance of probabilities that the loss fell within the ambit of the exclusion. This could present difficulties given that frequently a party will not claim responsibility for an attack, particularly state-sponsored attacks, and the state where the attack took place will not publish all the evidence relating to the event, merely its conclusions that an attack has taken place.

A case in point involves Russia’s alleged hacking of Democrat emails during the 2016 US election, which the FBI has reported did occur, but which the US President has continued to deny. An arbitral panel sifting through competing claims and limited evidence, may find it difficult to decide whether an exclusion applies.

Similarly, whilst it may be possible to infer what the motives of a hacker are from the known facts, for example in relation to the attacks on the Organisation for the Prohibition of Chemical Weapons, it is highly unlikely that there will be any direct evidence from the alleged hackers. This could be especially problematic if it’s necessary to decide whether a particular act was an act of terrorism or merely a hack for commercial purposes, which is perhaps less likely to be excluded.

Nevertheless, from a policyholder’s point of view, a policy which excludes state sponsored attacks is of questionable worth, given that this is perhaps the area of greatest risk. Ideally an insured would be able to agree with insurers that any such exclusions are removed or, at the very least, negotiate so that the wording of an exclusion is as limited as possible.

No comments: