The cyber insurance world is going through a painful process of adaptation as it tries to strike a balance between policyholder expectations and the aggregation risk that a serious act of cyber warfare might pose. The debate has been acrimonious at times, with cyber war exclusions being redrafted and issued in different forms yet remaining vulnerable to criticism that they are unclear or uncertain in their scope. However, until recently, property insurers have generally remained notably quiet about the risks cyber war might pose to their portfolios. Perhaps this is a choice to remain on the side lines until consensus has been reached by cyber insurers, but if so, there is material risk attached to that choice.
Property insurers with war exclusions and comprehensive cyber exclusions may feel confident that either or both exclusions would be sufficient to oust a cyber war claim, should one ever be made. That is a reasonable position but could be a rare one judging by our experience in assessing the cyber exclusions proposed by property insurers for their reinsurance treaties. We do see some complete exclusions, but there are also many writebacks, ranging from sub-limited data reinstatement from backups to more comprehensive “all otherwise covered perils” writebacks. Property insurers thus still have some exposure to cyber risk, and this suggests to us that if no action is taken on cyber war exclusions, property insurers could find themselves covering exactly the cyber war risks that the majority of cyber insurers have excluded.
It is important to remember that the case which provoked much of this debate, Merck & Co Inc. and International Indemnity Ltd. v ACE American Insurance Company and others (NJ App. Div., Nos. A-1879-21 and A-1882-21), was about coverage under a property policy, not a cyber policy. In Merck, the court found that a standard war exclusion would not exclude acts of cyber war but only acts of conventional kinetic warfare.
In the UK, the Court of Appeal’s most recent statement on war exclusions, University of Exeter v Allianz Insurance PLC [2023] EWCA Civ 1484, that a war exclusion can still bite long after a war is concluded, thus excluding damage from a controlled explosion of a Second World War bomb, gives very little comfort on cyber war because that judgment was clearly concerned with conventional weapons and was ultimately decided on concurrent causation. There was no need to reconsider the fundamentals of what it means to exclude losses proximately caused by war and whether that necessarily encompasses the use of cyber weapons.
We recognise that this is a difficult problem and is capable of more than one solution, but it is one whose time has come. The war in Ukraine has shown both the importance of cyber operations to both sides in the conflict and how routine they have become. Just as no-one can guarantee that kinetic warfare will always hit its intended target, cyber warfare cannot be expected to remain always confined to its intended battlefield. Most cyber insurers have recognised the risk; it is time for property insurers to do the same.