Cyberattack is an act of war or Why your cyber insurance will not pay!

Published by: Dr. Ross Federgreen, CIPM, CIPP/US, CIPP/G, CIPP/E, CIPP/C, Fellow, European Privacy Association, Fellow of Information Privacy

In an article published in the New York Times on Sunday, April 21 titled, “Cyberattacks Reveal an Insurance Gray Area” by Adam Satariano and Nicole Perlroth, the authors   explain an important legal battle that is currently raging between major companies and various cyber insurance providers. Namely, that insurance companies are refusing to pay cyber attack claims based upon the act of war exclusion.

Currently there are multiple cases of this being pursued in the courts. These cases have expanded globally and include cases in the United Kingdom, Canada as well as the United States. Insurance companies involved include Zurich, Hiscox and others. John Farley of HUB International Limited and Greg Podolak of Saxe Doernberger & Vita, recently published a white paper titledThe Cyber War & Your Cyber Insurance Policy: Are you Covered? With cyber attacks now at the top of liability concerns for companies of all sizes, cyber insurance is a necessity. However, it is crucial to know what your cyber insurance policy does and does not cover.

Farly and Podolak explain that “many of these cyber policies contain specific terrorism and war exclusions. As a result, gaps in cyber insurance coverage can exist.” Government departments such as the DOD, DOJ, DHS and the terrorism risk insurance act have created separate definitions of “war” and “terrorism.” This makes determining coverage disputes increasingly difficult when a policy excludes acts of “war” and “terrorism.” To put it simply, a cyber attack could be considered an act of “war” or “terrorism” under one definition, voiding the cyber insurance policy. However, when using a different definition of “terrorism” or “war,” a cyber attack could be defined as what President Obama once referred to as “cyber vandalism,” in which the losses from the attack would be covered.

Lastly, “The Terrorism Risk Insurance Act (TRIA) is a government program designed to provide a backstop for reinsurance in the event of large terrorism-related losses (more than $100 million)” which further complicates the ‘act of war exclusion.’

Although, it is impossible to prevent all cyber attacks it is an absolute that failure to maintain the highest standards and practices will only increase the likelihood that various cyber insurance policies may be void based upon multiple levels of exclusion including those related to failure to act to prevent an event in the first instance.

No company can risk the loss of cyber insurance coverage and therefore the severe financial consequence of an insurance claim being voided. Or in the alternative failure to obtain or maintain appropriate cyber insurance coverage because of lack of documented preparedness.

Utilizing the complete suite of CSR products including Readiness, Breach Reporting Service and the new V3 offerings will help fulfill your cyber insurance underwriting criteria and legal requirements. Therefore, to increase your likelihood of a successful cyber insurance claim be sure that you understand and fulfill the requirements of your policy.