What War Exclusions Mean in a Cyber Policy
Following Russia’s invasion of Ukraine on February 24, 2022, warnings of anticipated cyberattacks sounded – and for good reason. In 2017, the emergence of the destructive NotPetya malware targeted Ukraine and eventually spread beyond its borders, causing significant damage and disruption worldwide. Among the malware’s victims were a global law firm and a mega pharmaceutical enterprise.
NotPetya malware was designed by a government to harm another government as an act of war. Prior to NotPetya, the war exclusion could be found in most stand-alone cyber insurance policies; however, NotPetya was the impetus for further discussion regarding the application of the war exclusion as it relates to cyber events. As a result, the exclusion provides insurers with an avenue to exclude coverage from loss arising from cyberattacks, cyber espionage and cyber sabotage damages invoked by war or hostile acts.
While the language varies by insurer, most cyber insurance policies include war exclusion language that generally states that coverage will not apply for loss arising out of acts of war.
Prior to Russia’s invasion, Russian-based cyberattacks and server infections were already documented worldwide. Targets included government agencies, banking and financial industries, energy sectors and healthcare systems.
In light of recent events, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) continue to warn U.S. businesses and those of allied nations to be extremely diligent with cybersecurity. In addition to being tagged for collateral damage, NATO countries in particular are anticipated targets for cyber espionage, Distributed Denial of Service (DDoS), ransomware and wiperwares (also known as pseudo ransomware in which the victim’s systems data are decimated, not just encrypted).
Since those warnings, the cyber conflict has escalated among Russian-linked criminal gangs, as well as with hacker collectives, such as Anonymous, and armies of volunteer technophiles, such as Ukraine’s 400,000 counter-attackers, many of whom have banded together against a common target, the Russian government, with the common goal to disrupt their operations and the ongoing war against Ukraine. As we learned from NotPetya, anyone can fall victim to an attack, even if they are not the intended target.
The reality is the global community, regardless of industry or size, is at risk because of this conflict. Get more information in our FAQ on cyber war exclusions and carve-backs.