Cyberattacks on corporate networks are on the rise, and the ramifications from such an attack can be financially devastating. Recent benchmarking data shows that the number of material cyber breaches at large businesses increased by 20.5% from 2020 to 2021, with cybersecurity budgets across various industries aimed at preventing breaches jumping 51%.[1] Although companies are continuously trying to adjust to rapidly evolving security risks by developing protocols to prevent and respond to these attacks, 29% of the CEOS and CISOs and 40% of chief security officers admit their organizations are unprepared, citing “weak spots primarily caused by software misconfigurations (49%), human error (40%), poor maintenance (40%), and unknown assets (30%).”[2] 

While companies can try to stay one step ahead of the bad guys, cyberattacks are increasingly being launched by sophisticated state-sponsored actors. One of the most notorious state-sponsored cyberattacks in recent years involved the launch of malware known as “NotPetya” in 2017 – one of the most destructive malware ever deployed – which caused over $10 billion in losses to businesses around the world. NotPetya was derived from “Petya,” a highly destructive ransomware deployed in 2016. The U.S. government has blamed Russian security services for the attack (though Russia denies these accusations).[3] In subsequent years, FIN7 and other nation-state actors have continued to test cyber defenses, causing billions of dollars in damage.

Businesses suffering cyberattacks emanating from state-sponsored entities may have insurance coverage for their losses, but the scope of coverage available can vary dramatically depending on the amount of coverage purchased and the terms and conditions of their policies.  In response to the growing incidence of state-sponsored cyber attacks, many insurers reflexively return to boilerplate “war exclusions,” arguing that cyberattacks perpetrated by state-sponsored entities in support of nefarious activities trigger exclusions for war or armed conflict.  The obvious problem with this argument is that war exclusions were originally drafted to protect the insurance industry against systemic risks associated with armed conflict involving widespread property damage and were not designed to address exposures relating to cyberspace.  Nevertheless, some insurers have attempted to avoid coverage for cyberattacks involving state-sponsored entities.  Those efforts have been met with mixed success.  

For example, in Merck & Co. v. ACE American Insurance Co., Merck & Co. sued its insurers who denied coverage under an all-risk property insurance policy for the billions of dollar in losses the company incurred in a 2017 NotPetya malware attack, after the attack rendered tens of thousands of devices and other hardware worthless. Merck’s insurers claimed that because the malware attack was allegedly attributable to Russia’s military intelligence agency (deployed as part of its conflicts with Ukraine), coverage was excluded pursuant to the policy’s “acts of war” exclusion. However, in 2022, the New Jersey Superior Court sided with Merck, ruling that Merck’s insurers could not rely on the war exclusion because that exclusion was intended to apply to losses resulting from an armed conflict. As the court reasoned, because the insurers did not modify the standard war exclusion to put companies like Merck “on notice” that cyberattacks would not be covered, the insurer it could not now disclaim coverage.[4] As a result, the court found that Merck was entitled to receive $1.4 billion in coverage. The Merck & Co. decision is currently on appeal.

Litigation before the Cook County Illinois Chancery Court recently involved similar arguments in Mondelez International v. Zurich American Insurance Co. In that case, Mondelez International sought coverage under its property policy for over $100 million in damages incurred following a NotPetya malware attack.[5] The insurer argued that a war exclusion applied, given its language that there would be not coverage “for hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power[.]” Before this case was tried, but after the decision in Merck, the parties settled for an unspecified amount.  

In response to the Merck & Co. decision and the unsurprising reluctance of courts to apply war exclusions to cyberattacks, the insurance industry is responding – not only by increasing premiums and limiting capacity, but also by adding new exclusions. Just a few months after the Merck & Co. decision, Lloyd’s of London issued a market bulletin in August of 2022 addressing cyberattack losses arising from attacks “sponsored by sovereign states” that may occur outside the traditional wartime context, mandating that new exclusions be added to all standalone cyberattack policies issued by Lloyd’s of London insurers.^[6]  These additional exclusions:

1. Exclude losses arising from war (whether declared or not);
2. Exclude losses arising from state-backed cyberattacks that:
   • significantly impair the ability of a state to function; or
   • that significantly impair the security capabilities of a state;
3. Must be clear as to whether cover excludes computer systems located outside any stated affected by the state-back cyberattack; and
4. Must set out a “robust basis” by which the parties can agree on how state-backed cyberattacks will be attributed to one or more states.

Lloyd’s has mandated that these exclusions be implemented for all policies otherwise covering cyberattacks, including at renewals, beginning March 31, 2023. Market observers anticipate that some Lloyd’s syndicates may go further and add broad form state-sponsored exclusions to their policies. While the Lloyd’s market guidance does not apply to insurers domiciled in the United States or Bermuda, given the importance of the Lloyd’s market to the global insurance market, Lloyd’s actions may prompt similar actions from other insurers this year.

In light of the market’s response to cyberattacks emanating from state-sponsored entities and the likelihood that new exclusions will be added to all Lloyd’s policies beginning next month, all policyholders should review their cyber, property, and other policies to determine which of those may afford them cyberattack coverage. Policyholders should carefully review wartime and act-of-war exclusions in their policies carefully with their brokers and coverage counsel to determine if the language of these policies might limit coverage for state-sponsored attacks. In addition, Lloyd’s impending application of state-backed exclusions on March 31, 2023 should serve as a warning to policyholders of potential forthcoming changes, not only to new policies but also to existing policies upon renewal. Policyholders should work carefully with their brokers and coverage counsel to review cyber and property policies to determine whether new exclusions that could negate coverage for state-sponsored cyberattacks have been added to their policies and negotiate exceptions and carve backs where possible. 

[1] See findings from ThoughtLab’s 2022 cybersecurity benchmarking study, Cybersecurity Solutions for a Riskier World. This study analyzed the cybersecurity strategies and results of 1,200 large organizations across 14 different sectors and 16 countries, representing $125.2 billion of annual cybersecurity spending. https://thoughtlabgroup.com/cyber-solutions-riskier-world/

[2] Id.

[3] See Dustin Volz, U.S. blames Russia for crippling 2017 ‘NotPetya’ cyber attack, Thomson Reuters, Feb. 15, 2018, https://www.reuters.com/article/uk-britain-russia-cyber-usa-idUKKCN1FZ2W4.

[4] N.J. Super. Ct. No. L-002682-18 (Jan. 13, 2022).

[5] 2018 L 011008, Cook County Chancery, Ill.

[6] https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf