‘Act of War’ exclusion could deny claims for cyber-security attacks: McCarthy Tétrault lawyer

Claim pay outs are 1.5 times more than premiums, Russian invasion of Ukraine exacerbates problem

‘Act of War’ exclusion could deny claims for cyber-security attacks: McCarthy Tétrault lawyer

Insurers are losing money on cybersecurity-related insurance products and have used the “act of war” exclusion in many policies to deny their customers payment on claims. This development is significant given Russia’s invasion of Ukraine and use of cyberwarfare, panelists told attendees at a recent McCarthy Tétrault webinar.

“I think insurers have and will continue to make use of the act of war exclusion to deny coverage related to cyber security policies,” said Emmanuelle Poupart, a litigation partner with the firm’s Montreal office.

Poupart noted that cyber coverage is a “relatively new product,” and underwriters have “underestimated the cyber risks out there.” As a result, Poupart said, she has heard that “for every dollar paid in premiums on this insurance, $1.50 is being paid out in claims.”

If one looks at the number of cyber-attacks and expenses related to these attacks, “there has been a rise in claims, and therefore premiums are rising,” Poupart added. She pointed to cyber insurance rates rising by 130 percent in the U.S. and 92 percent in the United Kingdom.

In addition, insurers have been tightening the underwriting criteria and putting additional controls before awarding cyber insurance policies.

As for the act of war exclusion, Poupart said that these sorts of caveats on policies have been in place for decades. “It was to safeguard insurers from events so catastrophic that they could go bankrupt trying to pay all the claims.” However, she said, while it is easy to spot physical damage caused by war, cyber-attacks are more difficult to associate with warfare.

One example Poupart pointed to is the malware that prevented Windows from booting up, with the attacker demanding payment in Bitcoin from the victim to regain access. In 2017, a variant of this malware was used in a global cyber-attack, primarily targeting Ukraine, though it spread worldwide, causing an estimated US $10 billion in damage.

Many governments and researchers alleged that the Russian government was behind the attack, so when some U.S. companies presented claims to their insurers, they were denied based on the act of war exclusion, arguing the cyber-attack was a “hostile” or “warlike” act.

The insurers “argued that the malware used in the attack was an instrument of the Russian government as part of its ongoing hostilities with Ukraine.” Poupart added that some insurers had been sued, with some decisions pending and others now under appeal.

U.S. courts have said that in some cases, the act of war exclusion clause did not include cyber-attacks, telling insurers that if they genuinely wanted these attacks to be part of the exclusions, the wording in the contracts should be more specific.

“The application of this act of war exclusion in cyber security cases will depend on the wording, and it will also depend on the facts of the case and the insurers’ ability to prove that the government or their agents did it,” Poupart said.

In some markets, there are now cyber war exclusion clauses to ensure there won’t be any coverage. “We are also seeing insurers change the wording of their exclusions to target cyber-attacks.” There are also more questions about two-factor authentication, phishing training for staff, response plans, email filtering and intrusion detection systems to better understand the company’s cybersecurity capabilities.

In painting a picture of how Russia’s invasion of Ukraine has impacted cybersecurity, Daniel Tobok, chief executive officer of Cytelligence Inc., told webinar attendees that the war had created more “constant change and conflict” amongst perpetrators of cyber-attacks in both countries.

“We’re now seeing operators basically turning on each other, leaving groups and joining other groups because of infighting,” he said. “The only good news in this unfortunate situation is that it actually has resulted in a decrease of attacks against Western countries.”

However, this is only temporary, Tobak said. “I think it’s just a matter for them to mobilize and find new ways to perpetrate their crimes.”

Guillaume Clément, a cyber security partner at KPMG Canada and President of Egyde Inc., agreed that the problem of cyber-attacks for financial gain or geopolitical reasons might only increase as perpetrators get more sophisticated. “These groups will step up their game, and we’re going to see new types of attacks and approaches.”

John Boscariol, head of McCarthy Tétrault’s international trade and investment law group and a partner in the litigation group, noted that the extensive sanctions imposed on Russia by many companies have also complicated how to deal with cyber-attacks.

“A number of bad actors who may be involved in ransomware attacks are on sanctions lists,” and “once you are on a sanctions list, Canadian entities may not do business with them,” he said.

“So certainly, payment of a ransom to someone who may be on a sanctions list would be a problem under sanctions laws. The question could also come up if making a ransomware payment involving a sanctioned financial institution.”