Over the past century, warfare on the battlefield has morphed into warfare over the internet. A war fought in trenches and foxholes is now also fought across the internet and in system networks. The Russian-Ukraine war brings into stark relief the implications of traditional warfare and cyber warfare being fought at the same time, but on vastly different battlefields. While the traditional, kinetic war before Russia and Ukraine continues on the ground and air, threat actors and cyber criminals have accelerated their online hostilities.

In the run-up to Russia's invasion, Ukraine experienced a significant increase in cyberattacks. On a broader scale, the first quarter of 2022 saw a record-breaking increase in cyber threat activities around the world, with one managed service provider noting an 800% increase in cyberattacks since the start of the Russian-Ukraine war.1 Some of the attacks against Ukraine were official military actions by the Russian government and others were unofficial threat actors – cyber-hacking in the apparent name of patriotism or support for Vladimir Putin's government. By way of example, Conti and REvil, two notorious ransomware groups, are known to be associated with Russian intelligence agencies. There is little doubt that this hybrid global war is the new geopolitical landscape.

The conflation of traditional war and cyber war raises a host of new issues and puts a spotlight on a common insurance policy exclusion that previously had received little attention. The "war exclusion," typically found in property and casualty policies but also found in cyberliability policies and other forms of coverage, was originally intended to exclude damage arising out of warlike acts between sovereign and quasi-sovereign entities.2 In determining the applicability of the war exclusion, American courts historically have looked at the issue in one of two ways: (1) had there been a formal declaration of war, or (2) did the circumstances meet the commonly used definition, or interpretation, of "war." As to the latter approach, American courts applied the exclusion in situations where traditional war-like acts between sovereign, or quasi-sovereign, states had taken place. In Pan American World Airways, Inc., v. Aetna Casualty & Surety Company, 505 F. 2d 989 (2nd Cir. 1974), the Second Circuit considered a case involving a Pan Am flight hijacked by persons working with and for the Popular Front for the LIberation of Palestine, in which the passengers lived, but the plane was destroyed. The Second Circuit found that Pan Am's claim under its war risk policies survived the war exclusion. The Court first considered the autonomy of the actors and determined that "war" is a course of hostility engaged in by entities that, at a minimum, have significant attributes of sovereignty. See id. at 1012 ("[W]ar is waged by states or state-like entities and includes only hostilities carried on by entities that constitute governments, at least de facto in character"). Using that assessment, the Court reasoned that the hijackers were the agents of "radical political groups" and not sovereign governments or state-like actors, so the war exclusion did not apply.

That same rationale was applied later in Holiday Inns, Inc. v. Aetna Insurance Company, 571 F. Supp. 1460 (S.D.N.Y. 1983). There, the Southern District of New York refused to apply an exclusion for "war, invasion, act of foreign enemy, hostilities or warlike operations (whether war be declared or not)" to Palestinian and Lebanese sub-national factions' shelling of a Holiday Inn in Beirut. Though the Court recognized that "[t]he Holiday Inn was damaged by a series of factional 'civil commotions,' of increasing violence," "[t]he Lebanese government could not deal effectively with these commotions," and "the country came close to anarchy," such facts were not sufficient to trigger the war exclusion. Id. at 1503. More important to the Court was whether the "constitutional government existed throughout" and whether there was any "intent to overthrow it." Id.  Because there was not, the Court concluded that "there was no 'war' in Lebanon between sovereign or quasi-sovereign states," so the war exclusion could not be invoked.

Cyber Warfare Has Entered the Chat

Fast-forward 50 years, traditional wars are still being waged (see, Ukraine), but cyber warfare has entered the chat. On the cyber front, some threat actors are known to be associated with, or part of, certain nation-states and governments, while others act independently, but often in the name of patriotism and potentially in coordination with a government or sovereign state. Policyholders, insurers and the court continue – and will continue – to grapple with the applicability of the war exclusion in this evolving political landscape. A New Jersey state court recently addressed these issues in a case involving a ransomware attack against pharmaceutical company Merck & Co., Inc. In that case, the court looked at the applicability of a war exclusion in the context of an "all risk" property insurance program that also covered cyber risks (e.g., data damage, business interruption, etc.) In Merck & Co., Inc. v. ACE American Ins. Co.Case NO. UNN-L-2682-18 (N.J. Sup. Ct.), the pharmaceutical company sued its property insurer for losses resulting from a 2017 NotPetya malware cyberattack that crippled Merck's computer systems and caused approximately $1.4 billion in losses. Merck sued for coverage.

The parties agreed that the policies provided coverage for "loss or damage resulting from the destruction or corruption of computer data and software," but the insurers argued that coverage was precluded by the "Hostile/Warlike Action" exclusion, which barred coverage for "[l]oss or damage caused by a hostile or warlike action in time of peace or war . . . by any government or sovereign power . . . or by any agent of such government, power, authority or forces." The insurers contended that the NotPetya malware had been a recognized instrument of the Russian government, used by Russian threat actors in ongoing hostilities against Ukraine, and therefore, the exclusion barred coverage.

Merck argued that the exclusion did not apply because the cyberattack was "not an official state action." Secondarily, Merck argued that a cyberattack is not a "hostile" or "warlike action" under the traditional interpretation of those words.

The New Jersey court "unhesitatingly " sided with Merck. First, the court looked to the traditional interpretation and " ordinary meaning" of "hostile or warlike actions" and determined that the facts did not lend themselves to the interpretation urged by the insurers. The court acknowledged the changing landscape in which wars are being fought but also recognized that hostilities wrought by malware were not unheard of, or unpredicted. The court recognized that "cyber attacks of various forms, sometimes from private sources and sometimes from nation-states, have become more common." As drafters of the policy language, the burden was on the insurers to use the language it wanted to exclude the risks it did not want to bear. The court held that the insurers "did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks" when they "certainly had the ability to do so."

Given the breadth and reach of the NotPetya attacks, the ripple effect has the potential to reshape the interpretation of these types of coverage issues. In Mondelez International, Inc. v. Zurich American Insurance Co., No. 2018 L 011008 (Cir. Ct. of Cook County, Ill.), another NotPetya malware case in which the insurers denied coverage under a similarly worded exclusion, similar issues are being tested in the Illinois courts.

How is the Insurance Industry Responding?

Prior to Merck and Mondelez grabbing the headlines, the insurance industry was already crafting policy language to address this changing landscape. The Russia-Ukraine conflict will accelerate the insurers attempts to tighten – and clarify – language in their exclusions in order to minimize their risks associated with cyber warfare. For example, in November 2021, the Lloyds Market Association proposed four new cyber warfare exclusions, intended to limit coverage for "cyber operations." In these proposed exclusions, the cyber attack would no longer need to be attributed to an actual sovereign state or nation state. Instead, the association between the threat actor and the nation state could be determined by "inference." It remains to be seen whether these proposals will be adopted by insurers and accepted in the market, but if they are, it certainly raises the question as to what risks, if any, are actually being covered by the policies.

In short, the traditional notions of war are quickly shifting and more often being fought in an active cyber environment. One of the angles in the long game of this analysis will be determining on whose behalf threat actors are working. In some instances, certain groups are known associates of nation states and governments (e.g., Conti and REvil and their apparent relationship with the Russian government) and in other instances, cyber activities and criminals take unsanctioned actions on behalf of nation states and governments. When these cyber attacks spillover from a traditional, ground war and move into the cyber realm, the interpretation of the war exclusion will become murky. Corporate policyholders need to be sure that their cyber risks are fully understood and that their expectation regarding coverage are conveyed to the underwriter during their renewal process.

 

These views are the author's own.