The recent high-profile indictments of Chinese military personnel accused of hacking and economic espionage directed at US companies in the nuclear power, metals and solar products industry sectors have placed a spotlight on the risks presented by state-sponsored cyber attacks.
Facing such potential attacks, organizations are advised to consider whether, and to what extent, their cybersecurity insurance policies would cover such attacks.
Unfortunately, state-sponsored cyber espionage resulting in the theft of a company’s intellectual property “crown jewels” via advanced persistent threat (APT), or otherwise, realistically is not a loss that is covered by current cybersecurity insurance policies. On the other hand, an organization that has purchased cybersecurity insurance may have extremely valuable coverage for state-sponsored cyberterrorism that results in, for example, liability arising out of the theft or compromise of personally identifiable information (PII) or protected health information, distributed denial-of-service (DDoS) attacks or the transmission of malicious code, as well as for cyberterrorism that results in loss of business income and/or loss or corruption of the organization’s own digital assets.
But, as with so many things, the devil is in the details.
Rather than assuming that cyberterrorism is covered, cybersecurity insurance policies should be carefully reviewed to determine the scope of available coverage. One important provision to consider during review is the policy “war” and/or “terrorism” exclusion, which exists in some form in virtually all cybersecurity policies. Although the policy wordings can vary quite dramatically, even among policies underwritten by the same insurer, by way of illustration, one cyber insurance policy contains the following version of a “war” exclusion:
This policy shall not cover Loss in connection with a Claim made against an Insured:
*****
alleging, arising out of, based upon or attributable to any:
***
strikes or similar labor action, war, invasion, act of foreign enemy, hostilities or warlike operations (whether declared or not), civil war, mutiny, civil commotion assuming the proportions of or amounting to a popular rising, military rising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against these actions[.] (emphasis added)
Insurers may contend that this or similar language excludes cyber attacks that originate from foreign nations or that are under the auspices of foreign governments. The trouble is, as amply illustrated by the recent indictments, many cyber attacks originate from, or are at the direction of, foreign governments.
Therefore, policyholders are advised to seek to identify and avoid such exclusionary language–perhaps even more so if the organization is a potential critical infrastructure target, including organizations in the chemical, communications, manufacturing, defense, financial services, energy, healthcare, and information technology sectors, among others.
Some policy language, moreover, arguably goes even further than the above-quoted language and excludes, for example, acts committed for “ideological or similar purposes.” By way of illustration, one policy form contains an “act of terrorism” exclusion and defines “act of terrorism” relatively broadly to include:
an act, including but not limited to the use of force or violence or the threat thereof, of any person or group of persons, whether acting alone or on behalf of or in connection with any organization or government, committed for political, religious, ideological or similar purposes including the intention to influence any government or to put the public, or any section of the public, in fear.
An insurer may contend that this language extends to a data breach, DDoS attack or other cyber attack by a group such as Lulszec, Anonymous or a similar “hacktivist” group. To put a finer point on this, Verizon’s 2014 Data Breach Investigations Report found that “under two out of every three web app attacks were attributable to activist groups driven by ideology and lulz.”
Again, policyholders should avoid broadly-worded “terrorism” exclusions. Fundamentally, it should not matter who precipitated a cyber attack. The coverage should apply irrespective of whether the actor was a state-sponsored group, a U.S, or foreign organisation, the tech-savvy teenager across the street, a disgruntled (or careless) present or former employee, or another actor.
Importantly, many insurers are willing to add carve-back language to “war” or “terrorism” exclusions to make clear that exclusions do not extend to cyberterrorism. For example, an endorsement offered by one insurer expressly states that the “war” exclusion “shall not apply to actual, alleged or threatened Cyberterrorism.” The endorsement defines Cyberterrorism to include:
the premeditated use of disruptive activities against any computer system or network, or the explicit threat to use such activities, with the intention to cause harm, further social, ideological, religious, political or similar objectives, or to intimidate any person(s) in furtherance of such objectives.
In addition, a number of insurers now offer affirmative coverage for certain losses caused cyberterrorism. One London market form, for example, expressly offers network interruption “Cyber Terrorism Coverage,” which covers, among other things “income loss” resulting from the failure of a computer system that “is directly caused by an act of terrorism,” which is defined to include “an act, including but not limited to the use of force or violence and/or the threat thereof, of any person or group(s) of persons, whether acting alone or on behalf of, or in connection with any organization(s) or government(s), committed for political, religious, ideological, or similar purposes including the intention to influence any government and/or put the public, or any section of the public, in fear.”
By appreciating the potential issue and negotiating coverage accordingly, policyholders can avoid insurer attempts to rely upon war or terrorism exclusions to avoid their coverage obligations.
Roberta Anderson is a partner in the Pittsburgh office of K&L Gates LLP. She has represented insureds in connection with a broad spectrum of insurance issues and disputes arising under many kinds of insurance coverages, including general liability, commercial property, business interruption, data privacy and “cyber”-liability, directors and officers (D&O), errors and omissions (E&O), and employment practices liability. In addition to assisting clients in maximizing their current insurance assets, Anderson provides strategic advice on complex underwriting and risk management issues, including the drafting and negotiation of data privacy, cyber liability, technology E&O, and D&O insurance coverage. Anderson can be reached at [email protected] or 412.355.6222.
