Insurers and insureds alike agree that clear policy wording will be the path forward in dealing with concerns about cyber war in the wake of the Russia-Ukraine conflict. This isn’t the first time in recent history that reworking policy language has been top-of-mind for the insurance industry, either.
“The pandemic has shown some ambiguities can exist in traditional policy wordings,” said Jürgen Reinhart, chief underwriter for Cyber at Munich Re. “All of this underlines the importance for insurers to have clear wordings that are fit for purpose.”
The structure of that policy language, however, is something on which insurers and insureds have struggled to find common ground.
These challenges recently came to light during the COVID-19 pandemic, which served as a wake-up call for the insurance industry in terms of how it approaches cover for non-damage business interruption (NDBI), wrote Alastair Speare-Cole, president and general manager of insurance for QOMPLX, in an article for Carrier Management at the beginning of last year.
This is because federal and state measures were enacted starting in March 2020 to reduce the spread of COVID-19, and with stay-at-home orders in place, many businesses sought compensation from their insurers under their business interruption policies. RiskGenius CEO Chris Cheatham and MIT Researcher Bryan Wilson wrote about this in a series of articles for Carrier Management, investigating the link between stay-at-home orders and numbers of business interruption insurance coverage lawsuits by state.
Peter Halprin, Pasich LLP
“Typically, war is excluded in all major lines of business. This is true also for cyber insurance.”
Jürgen Reinhart, Munich Re
“If we see a true cyber catastrophe on the order of a hundred billion or more losses or insured losses in one country, the government is going to step in, regardless of whether there’s any scheme in place in advance.”
Jon Bateman, Carnegie Endowment for International Peace
“War is excluded. Political violence is not excluded. Therefore, you need to go through the thousands of problems you have and really assess where is the exposure? And are losses reported?”
Burkhard Keese, Lloyd’s
The insurance industry has largely denied most of these claims, citing virus-related exclusions, but this has led to an ongoing conversation about unclear policy language and even lawsuits being filed against insurers. Now, the industry is facing a similar challenge regarding the Russia-Ukraine conflict as the threat of cyber war looms.
“War is a prime example of a systemic risk that cannot be controlled and, therefore, needs to be excluded due to its ruinous potential,” Reinhart said. “Typically, war is excluded in all major lines of business. This is true also for cyber insurance.”
Munich Re is one of several insurers that has been rethinking cyber war exclusionary language on the back of what’s happening in Ukraine. Reuters reported in April that the insurer is planning new wordings in cyber insurance policies to exclude war and avoid disputes over what is covered.
“Munich Re has been very active in forcing clear and effective, more standardized cyber war exclusions,” Reinhart said. “This would be beneficial to all stakeholders.”
AXIS Insurance is another insurer that has been paying close attention to the recent rhetoric around cyber war exclusions. Pete Vogt, the company’s chief financial officer, said in its first-quarter 2022 earnings call that the company feels good about the war exclusion in its cyber policies given the current landscape.
“We think it’s one of the best out there,” he said.
Dan Trueman, the company’s head of global cyber and technology, told Carrier Management that while war exclusions vary, AXIS is confident that its own is “clear and effective.”
“Internally and externally, we continue to prioritize ensuring clear understanding around the terms of our exclusions, be that relating to war or infrastructure exclusions, and the importance of putting in place minimum standards across our book,” he said.
The Lloyd’s Market Association has also been working to clarify its policy language around cyber war exclusions, recently releasing four model clauses to exclude coverage for acts of war from cyber insurance policies.
“I mean, assessing risk situations is our core business,” Lloyds Chief Financial Officer Burkhard Keese told Carrier Management in an April interview. “You need to do this in a really structured way. You need to ask what lines of business could be impacted by war.”
Similar to what has played out during the pandemic, however, insurers are once again facing pushback from policyholders regarding exclusionary language.
“When something catastrophic is happening, that’s when you’re supposed to be covered by your insurance, and then they come out and say, ‘Oh, well, we can’t pay for all this. It’s too expensive,'” said Peter Halprin, partner at law firm Pasich LLP. “So, what’s the point, right? It’s the same thing that policyholders are saying with the pandemic. [They’re saying], ‘I thought I bought business interruption coverage. My business was interrupted, and [the insurers are telling me] it’s not covered.'”
Some have said this could further a lack of trust between insurers and policyholders at a time when the industry is already struggling with reputational risk.
“What we haven’t done well in COVID is that we haven’t shown enough leadership as Lloyd’s and as an industry,” Keese said. “There are systemic losses, but the BI [business interruption] cases in the UK and in Australia were not entirely helpful for our brand.”
Has the insurance industry learned from the pandemic in time to apply these lessons to recent concerns about cyber war? Halprin isn’t sure.
“I think that insurers have a difficult task ahead of them because if they want to take a hard line on cyber crime and cyber incidents where things are murky, I think they risk shooting themselves in the foot on growing this market,” he said. “You want to encourage people into this market. You want to show that the product actually covers what it’s supposed to cover, and you want to give people confidence. To tighten exclusions and to raise costs and to increase deductibles and do all the things that we’re starting to see in the marketplace—those are mixed signals for consumers.”
Alexandra Roje, partner at law firm Lathrop GPM, echoed these thoughts, challenging the industry to think differently about coverage exclusions in the face of disaster or risk repeating the same cycle with policyholders again and again.
“The cyber terror risk is real, but this really is part and parcel of the insurance business in that when they see a risk that they maybe didn’t anticipate, and they recognize that there’s coverage there, this is what happens,” she said. “It happens every time.”
The insurance industry, though, has remained firm that unprecedented disasters such as the COVID-19 pandemic and any potential act of cyber war are simply too big to insure.
“As was mentioned in our most recent earnings call, war exclusions have been in place across our cyber book for a long time and are one of the key tools we use to manage individual risk exposure and exposure to systemic risk,” Trueman said.
Jon Bateman, a senior fellow in the cyber policy initiative of the Technology and International Affairs Program at the Carnegie Endowment for International Peace, said on a recent episode of Insurance Journal’s Insuring Cyber Podcast that exclusions could be especially helpful to the industry now as insurers are facing an unprecedented level of disruption.
“This outbreak of cyber war, if it does occur, is happening at the worst possible moment in financial terms for an industry that’s been pummeled by ransomware and more broadly by COVID and inflation and natural disasters around the world,” he said. “At a time of hardening cyber insurance markets, an outbreak of cyber war is in some ways the worst nightmare for insurers and reinsurers and could be a historic challenge to the marketplace.”
Reinhart agreed, adding that risks related to war should instead be taken on by the public sector.
“Given that war is generally considered uninsurable, the risk needs to be retained by the economy,” he said.
Bateman said that a government backstop is one solution that could have positive implications for the insurance industry. For policyholders, government backstops can step in when insurance coverage runs out during a catastrophic incident, he said. Insurers struggling to find the line between insurable and uninsurable incidents can benefit, too, he added, knowing coverage up to a certain limit could be supported by additional capital in the marketplace.
Gerry Glombicki, Fitch Ratings
“It’s a fine line between state-sponsored and just rogue attack. It’s just hard to tell, and I think that’s really the key issue.”
Alexandra Roje, Lathrop GPM
“I’ve been working in cybersecurity for more than 15 years, and the thing that you always thought was going to happen,…it doesn’t quite happen like that.”
Jake Olcott, BitSight
“Internally and externally, we continue to prioritize ensuring clear understanding around the terms of our exclusions, be that relating to war or infrastructure exclusions, and the importance of putting in place minimum standards across our book.”
Dan Trueman, AXIS Insurance
“I see it as a potential win-win,” he said, noting that the government likely would step in to assist in the face of a truly catastrophic incident of cyber war anyway.
“If we see a true cyber catastrophe on the order of a hundred billion or more losses or insured losses in one country, the government is going to step in, regardless of whether there’s any scheme in place in advance,” he said. “We’ve seen this with Hurricane Katrina, with wildfires. If there’s a huge catastrophe that devastates a locality or a broad sector of society, the Congress or another legislature will just need to come in and have some kind of emergency assistance. COVID is another example of that.”
Lack of Uniformity
Although the insurance industry can draw similarities between the threat of cyber war and pandemic-related challenges, there are some key differences. Insurance Services Office forms providing a template for virus exclusions added some clarity for COVID-related business interruption claims, but one big problem in the case of cyber war is a lack of uniformity.
“There is no ISO form,” Halprin said. “You’re seeing tremendous variations in language. I think it makes it hard for the industry as a whole to kind of wrap its arms around this issue and say, ‘Here is our definitive war exclusion that we’re all going to use.'”
What’s more, Bateman said affirmative or standalone cyber insurers have different incentives for enforcing their exclusions than property/casualty insurers or those facing silent cyber coverage.
“Ambiguous policy language can also result in legal actions,” said Gerry Glombicki, senior director in Fitch’s U.S. insurance group.
Bateman added this creates a whole new set of challenges as different jurisdictions will have different precedents for settling these actions. That said, Glombicki maintained most policy wordings will be clear enough to exclude a formal declaration of war.
“Policy wording can differ across policies and insureds, but generally speaking, a formal declaration of war is likely to trigger the war exclusion that is present in most insurance policies,” he said.
Perhaps just as big of a challenge as unclear policy language is a lack of clarity around how cyber attacks are attributed, experts said.
“It’s a fine line between state-sponsored and just rogue attacks,” Roje said. “It’s just hard to tell, and I think that’s really the key issue.”
Regarding the situation in Ukraine, this means it can be difficult to determine where cyber losses are stemming from, Keese said. “Were they coming from war or political violence?” he said. “War is excluded. Political violence is not excluded. Therefore, you need to go through the thousands of [policies] you have and really assess where is the exposure and are losses reported.”
Even the term “cyber war” itself brings ambiguity, according to Bateman.
“‘Cyber war’ is one of those commonplace terms that is bandied around a lot by casual news coverage or even professionals, but it really lacks a clear definition,” he said. The term “cyber war” can mean one of two things, Bateman explained. It could serve to define a nation-state attack in which one government hacks into another country in a way that is so damaging it is considered an act of war, or it could mean two countries are at war in a physical sense and cyber operations become a part of that war, similar to what’s happening now with Russia and Ukraine.
“It’s very hard in this environment to attribute events or vet the claims that are being made publicly, and it’s easy to jump to conclusions if there is some kind of cyber disruption that it must have something to do with the conflict in Ukraine,” he said. “So, the term ‘cyber war’ is very vague and unclear, and the reality of cyber war is very vague and unclear as well.”
Once again, this challenge could likely fall on the courts, Glombicki said, which presents its own set of difficulties. “One of the main challenges in a cyber attack is attribution of the attack,” he said. “Absent a credible admission by a sovereign nation, attribution would be left to the courts to decide, which is historically difficult.”
Likelihood of Cyber War
Despite talk about the heightened risk of cyber war given the conflict in Ukraine, what is the likelihood that it could actually happen?
The answer is, again, unclear.
“As is always the case in insurance, it would definitely depend on a number of specific factors,” Bateman said. “So, we have to admit that no one really knows the exactly likelihood.”
That said, Bateman said he believes the risk is greatly heightened right now.
“U.S. government has said in most of these warnings that there is no specific credible threat at this time against the United States, but that just means that we don’t have specific intelligence warning,” he said. “I personally believe that the threat of cyber attacks against U.S. infrastructure and other large-scale cyber disruptions in the United States is greatly, greatly elevated right now—maybe the highest that it’s been in history, actually.”
Jake Olcott, vice president of government affairs at cybersecurity ratings company BitSight, said this means companies, including insurers, need to recognize that cyber risk is real even for companies that aren’t intended targets.
“In the past, a company or an organization would say, ‘Well, it wasn’t an attack targeting me and, therefore, I was able to avoid damage or harm,” he said. “In the last five years, we’ve really realized just how integral the supply chain actually is to our own ability to do business. At this point, every attack—even an unintended attack on an organization—should be considered a direct impact if it affects our supply chain.”
Glombicki said that for insurers seeking to mitigate cyber risk, standalone cyber is more transparent than packaged cyber polices and that disciplined underwriting is imperative.
“Disciplined underwriters have a long-term advantage over carriers that have naïve capacity or a short-term focus,” he added.
One positive development Olcott has observed as the cyber insurance industry has matured is that carriers are starting to learn how to model cyber risks and gather data to understand how these could affect their portfolio.
“I think that data and analytics are increasingly playing a very important role in bringing awareness,” he said. “I think that there’s a lot more to do in this space, but I think data and analytics are increasingly driving that conversation forward.”
However, as is always the case in cyber, the risks remain everchanging no matter how much preparation is done. “I’ve been working in cybersecurity for more than 15 years,” he said, “and the thing that you always thought was going to happen,…it doesn’t quite happen like that.”
With this in mind, he said the most important thing for insurers to do is to be ready to respond quickly when an incident happens by understanding the risk areas within their own software and third-party vendors, as well as collaborating with insureds to identify problem areas.
“One of the problems that insurers have is that you can kind of stimulate the risk, but nobody’s 100 percent certain about where the next risk is coming from,” he said. “That is increasingly becoming the name of the game in cybersecurity. There’s always going to be another SolarWinds, another Microsoft Exchange, another Log4J. These incidents will persist, likely for eternity, but the ability to build a security program that can rapidly identify and respond to these things is going to be the difference between experiencing a significant material incident and not.”
(This article is one of several from Carrier Management’s second-quarter 2022 print magazine that are focused on emerging risks for P/C insurance carriers.
All of the articles in the magazine are available on the magazine page of our website.
To be able to read and share individual articles more easily, consider becoming a Carrier Management member to unlock everything.)