A federal backstop for insuring against cyberattacks?

The effects of warfare can be felt well beyond the battlefield. Businesses are interrupted, property damaged, lives lost—and those at risk often seek to protect themselves through insurance. The premiums that insurers charge, however, rarely account for the immense destructive capacity of modern militaries, making wartime claims a potentially existential threat to their fiscal solvency. For this reason, insurance policies routinely exclude “acts of war” from their coverage, leaving it to governmental authorities to decide whether to compensate the victims of such acts while focusing the insurance sector on other, more conventional risks. But what happens when the battlefield moves into cyberspace?

In 2017, the NotPetya cyberattack alone caused an estimated $10 billion of damage worldwide, including $100 million of damage to Mondelez International, a global food conglomerate. But when Mondelez filed a claim for those damages, its insurer, Zurich International, denied them on the grounds that NotPetya was a “hostile or warlike action” by a “government or sovereign power” and thus excluded from the policy’s scope under its act of war exclusion. Mondelez responded by suing for breach of contract, putting it to the Illinois state courts to decide who committed this complex cyberattack and why. Hanging in the balance is not only Mondelez’s claim, but the extent to which the insurance industry can and will provide coverage for various major cybersecurity incidents—an issue of increasing significance to the entire U.S. economy.

The United States faced similar dynamics after the Sept. 11 attacks as the insurance industry wrestled with how to cover damages from catastrophic terrorism. A bipartisan Congress ultimately stepped in, creating a federal backstop for insurers facing such claims while foregoing the use of the act of war and other exclusions. That law, the Terrorism Risk Insurance Act (TRIA), has ensured the availability of terrorism-related insurance coverage while providing the private insurance industry with certainty regarding the outer limits of the financial risks it is undertaking. As Congress weighs renewing TRIA, which expires at the end of 2020, it should seriously consider whether the federal government should play a similar role in stabilizing the insurance industry’s approach to cyberattacks, thereby ensuring substantial coverage before a major cyberattack forces the question.

War risk exclusions

Exclusions for acts of war and related incidents have been a feature of insurance contracts for more than a century, and are designed to protect insurance providers from the crippling financial consequences of large-scale military action. The outbreak and scale of damage caused by armed conflicts can be both unpredictable and severe, making it difficult for providers to set premiums that cover their eventual losses. Many conventional insurance policies just exclude war-related claims. Some providers offer more limited supplemental “war risk” policies that cover these risks in contexts where they are of particular concern, such as in the aviation and maritime industries.

Early act of war provisions were written with conventional interstate warfare in mind. But as new forms of armed conflict emerged, so did novel questions about what activities fall within these exclusions. Do act of war exclusions cover damages arising from wars not formally declared? Or actions by or against rebel movements? As the federal government has generally left the insurance industry to the states to regulate, these questions have generally been put to various state and federal courts to answer, with input from government agencies, industry organizations, and other parties. This frequently resulted in diverse and unpredictable outcomes, particularly in the short term as courts engaged in dialogue with each other and worked toward consensus on an appropriate approach.

Insurance providers are often at a disadvantage in these debates, as they usually bear the burden of proof for showing that an exclusion applies as well as any risk arising from ambiguities in an insurance policy’s terms, so long as they played the lead role in drafting it. As a result, insurance providers concerned about war-related exposure responded to these debates over the act of war exclusion by adapting their own provisions to expressly exclude more contingencies. This led to inclusive provisions like the one at issue in the Mondelez case, which excludes “hostile or warlike action in time of peace or war … by any … government or sovereign power (de jure or de facto) … [or] agent or authority” thereof. Such breadth ensures that insurance providers do not unintentionally omit acts of war whose risk they do not wish to assume. But it also lends itself to novel interpretations that have, in turn, facilitated efforts to invoke these exceptions in an increasingly diverse array of circumstances over time.

Insurance and cyberwarfare

Cyberactivity is a predictable next step in this evolution. As its role in the global economy has grown, so has the demand for related insurance coverage: Direct written premiums for cyber-related coverage reached $2 billion in 2018, twice the amount written in 2015. Many general insurance policies now include coverage for some damages arising from certain cybersecurity incidents, such as data loss. At the same time, governments have increasingly used cybermeasures as tools of national policy, including as part of military operations. And the common use of terms like “cyberwar” and “cyberattack” raise questions of whether the rules of warfare, including the act of war exclusion, might apply, even if the cyberactivities at issue have little to do with any conventional armed conflict.

While state laws sometimes impose certain requirements, there is no standard format for act of war exclusions. Instead, courts interpret their terms in line with the understanding of the parties, as informed by conventional usage and industry standards. Like the exclusion in the Mondelez case, most focus on “hostile or warlike action[s]” by a “government or sovereign power[.]” This sets out two threshold inquiries in determining whether a given claim falls within the exclusion’s scope, both of which pose unique challenges in a cyber-related context.

The first is whether the damages can be attributed to a state actor. There are already several examples of foreign states targeting private companies with cyberattacks, including North Korea’s 2014 hack of Sony Pictues Entertainment in retribution for its production of a film that satirically portrayed an attempt to assassinate North Korean leader Kim Jong-Un. But attribution remains a signature challenge in addressing cyberactivity. The U.S. intelligence community has noted that the attribution of cyberactivity often “requires weeks or months of analyzing intelligence and forensics” and can result in analyses whose “accuracy and confidence . . vary depending on available data.” Insurance providers are likely to encounter even greater difficulties given their lack of access to classified information and other governmental resources. In many cases, this leaves room for disagreement and uncertainty regarding the responsible party.

One solution might be to defer to governmental authorities on questions of attribution, but this is easier said than done. No sovereign nations, including the United States, are obligated to publicly attribute all cyberattacks. When a nation does so, it often reflects not only that nation’s evaluation of the available facts, but also other relevant foreign relations concerns. For this reason, relying on governmental attribution would make insurance outcomes contingent on the vagaries of international politics, an unpredictable factor unrelated to the policies or damages at issue.

The second inquiry that act of war exclusions raise—whether a given cyber-related incident constitutes a “hostile action” or “act of war”—can be equally problematic. Where not defined expressly in an insurance contract or relevant state laws and regulations, courts generally interpret such contract terms in line with the intent and understanding of the parties, as informed by conventional usage and specialized industry standards. One recent court decision determined that the terms “warlike action” and “warlike operation” have a specific meaning in the insurance context, namely “operations of such a general kind or character as belligerents have recourse to in war.” But does this include cyberactivities, particularly those that nations may also pursue in peacetime for political, economic, or other purposes?

No U.S. court has directly weighed in on this question. When evaluating whether other sorts of activities constitute hostile acts, courts have generally focused on whether the act in question was “due directly to some hostile action, military maneuver, or operational war danger” distinct from the sort of risks that the affected parties might encounter in peacetime. Proximity to a theater of combat and occurrence during wartime have been relevant, as has the motivation of the governmental actor engaging in the cyberactivity and its relationship to the strategic interests nations pursue through warfare. All told, the answer requires careful fact-specific analysis that may vary significantly depending on context.

Where does this leave cyberwarfare and the act of war exclusion? For the exclusion to apply, courts are likely to require both attribution to a foreign government and a nexus to an ongoing international armed conflict, or at least the sorts of strategic interests that nations usually pursue through military means. Cybercrime and many other activities in cyberspace fall short of these thresholds, even where state-sponsored. So, for example, North Korea’s suspected 2017 cybertheft of $81 million from Bangladesh’s central bank would likely not be subject to an act of war clause, as it has no nexus to an armed conflict.

But other cyber-related incidents might—including NotPetya. The United States and other countries have taken the unprecedented step of publicly accusing Russia of deploying NotPetya, providing strong support for attribution. Most believe that it was originally deployed as part of Russia’s conflict with Ukraine before spreading unpredictably to other victims, providing a nexus to an armed conflict. Mondelez and other non-Ukrainian NotPetya victims are arguably the cyber equivalents of collateral damage in an attack on a third party—a type of claim generally included within the scope of act of war exclusions.

This possibility combined with the factual ambiguity surrounding many cyberattacks leaves ample uncertainty regarding the applicability of the act of war exclusion, undermining both the price and availability of insurance coverage. Clearer legal standards could mitigate this, but they are unlikely to be forthcoming from the courts anytime soon due to the fact-dependent nature of the issue, the diverse jursidictions in which litigation will take place, and the high rate of settlement. Some insurance providers are likely to respond to this uncertainty and the risk of large-scale attacks like NotPetya by amending their policies to expressly exclude more sources of large-scale cyber-risk, further limiting the availability of coverage. The resulting shortage in effective cyberinsurance coverage—both real and perceived—may inhibit economic activities where such risk is unavoidable. And in the event of a major NotPetya-like cyberattack, the result could be that policyholders left unexpectedly without protection in the face of catastrophic financial losses.

A backstop for catastrophic cyberattacks

The United States wrestled with a similar scenario following the Sept. 11 attacks. While there were initially widespread concerns that insurance companies would attempt to use the act of war exclusion to avoid covering individuals claims’ for damages arising from the attacks, the insurance industry quickly disavowed any such intent. As insurance policies came up for renewal, however, providers began to introduce new terrorism-specific exclusions out of fear that more catastrophic terroism was on the horizon and had the potential to bankrupt the industry. Simultaneously, the demand for terrorism insurance increased sharply as businesses sought to mitigate terrorism risks. The result was a market failure that, in the words of then-Treasury Secretary Paul O’Neil, “threaten[ed] [U.S.] economic stability” if left unresolved—and thus required a federal response.

That response was TRIA, which Congress enacted into law with overwhelming bipartisan support in 2002. Through TRIA, the federal government committed to afford insurance providers with a backstop against large-scale, catastrophic losses from eligible acts of terrorism, curbing the outer limits of these providers’ liability while requiring that they take a smaller, first-loss position. This backstop only applied to claims that met certain loss thresholds and were consistent with a statutory definition for terrorist attack that excluded “acts of legitimate warfare,” and made the secretary of the Treasury Department the arbiter of whether terrorism would be excluded from TRIA-backed insurance coverage as acts of war. In exchange, Congress obligated providers of TRIA-eligible insurance to expressly include terrorism in the scope of their policies, thereby preventing market disruptions and ensuring broad availability.

Originally seen as a temporary solution, TRIA has been extended several times due to ongoing concerns that insurance markets have not yet found ways to adequately price coverage for catastrophic terrorism. This reflects a seemingly enduring political consensus that the federal government has a role to play in providing a backstop against losses from terrorism. Yet it has also never been used, as not even high-profile incidents—such as the Boston Marathon bombing—have been certified as acts of terrorism by the secretary of the Treasury Department. Nonetheless, by leaving the basic structure of the law intact, Congress continues to mitigate the outer realm of possible risks associated with terrorism—even as it has repeatedly raised the thresholds for federal involvement, thereby shifting more risk back to the private sector.

TRIA could serve as a valuable model for bringing stability to cyberinsurance markets. From an insurance perspective, cyberattacks share many similarities with terrorism, including their unpredictability, correlatedness, and potentially large-scale damages. A TRIA-like hedge against catastrophic cyber-related losses could help ensure that insurance providers remain willing to cover losses from cyberactivities even in the face of major cyberattacks—something that is likely essential to the stability and growth of our increasingly digital economy. The certification process would place the federal government in the role of determining whether cyberattacks qualify as acts of war outside the scope of the program and related insurance policies. This would reduce the uncertainty surrounding when the exclusion might apply and place the burden of investigating and attributing cyberattacks on the federal law enforcement and intelligence agencies best equipped for that mission.

Congress will start the debate over whether to extend TRIA again later this year. Most expect it to do so. Congress should use this opportunity to openly consider similarly modernizing the approach to insuring against cyberwarfare. While there are trade-offs—including increased federal involvement in an area generally left to the states, more financial risk to taxpayers, and possible tensions between the federal government’s certification role and other policy responses it may consider—providing a federal backstop for insurers with clear guildelines as to when coverage should be provided could offer the cyberinsurance market with structure and certainty that insurers and policyholders can depend on—even in the face of large-scale, state-sponsored cyberattacks like NotPetya. Having this debate and establishing a framework before the United States faces a catastrophic cyberattack puts us ahead of the curve. We may not be able to predict when or where the next cyberattack will come, but we can establish a system to ensure Americans have adequate protection when it arrives.