Is malware war? Are losses arising from malware excluded from your property insurance policy?
These are questions businesses should consider. There are, of course, policies specifically written to cover cyber breaches and other data security incidents. But, these types of policies are, indeed, different from property policies. Even if both types of policies contain similarly named/titled terms, conditions, and exclusions, they intend to cover different risks and their language can be different.
Some recent cyber incidents have given rise to an examination of cyber losses under property coverage and provide a reminder that a good risk management program keeps the differences between property and cyber coverage in mind. Business leaders must consider the specific language of their insurance policies before assuming what is covered and what is excluded because, in the end, the specific language of each insurance contract will control any dispute over a claim.
The Evolution of Property Policies
Today’s common property insurance policies developed from insurance originally designed to protect property owners from the risk of fire. That is, they were designed to cover damages to an insured’s physical property against a specific type of loss. Imagine a fire sweeping through a 19thcentury warehouse. While the scope of risks covered by most property insurance policies has expanded and the language of the policies' terms has evolved, the fact remains that the purpose of property insurance is to pay for first party losses due to the physical damage or loss of tangible property - for example, a company that experiences a loss of a building and other property, such as machinery, due to a fire, tornado, or a truck crashing through the front door should look to its property insurance for coverage. Another evolution of property policies is that they typically now cover the cost of business interruption due to the necessary suspension of business activities tied to direct physical loss of or damage to covered physical property.
Insureds should not, however, expect coverage under a property policy to cover the loss of electronic data, even if that property policy will cover most cyber risks including the cost to replace computer hardware damaged due to an accident. Although some property policies may not contain a specific cyber exclusion, insureds should not rely on a property policy to cover data loss because that loss likely will not satisfy the threshold policy requirement – physical damage to tangible property. The significant difference between the coverage for computer hardware versus the loss of data on a computer system is that the computer hardware is tangible property whereas the electronic data is not.
Cyber Policies
Nineteenth century risks continue to exist today, and insureds continue to need first party property insurance to protect their property wherever it may be found. But risks related to cyber are a very recent development, and present both first party loss issues as well as liability risks. Insurers have responded with products that focus on the cyber risk as a whole. Scores of insurance companies now issue cyber insurance policies to cover the risks that property policies do not intend to cover.
Cyber policies can insure against a variety of risks, including the disclosure of confidential information held by the insured, the costs of responding to regulatory proceedings and lawsuits related to a data breach, fees/penalties that credit card issuers impose on businesses as a result of the loss of credit card information, breach response costs, business income loss due to a data security incident, ransomware demands, and the cost of replacing electronic data, software and files, etc. Conversely, cyber policies generally do not cover the type of damage to property described above, i.e. physical damage to tangible property. Separate problem, separate product.
In this respect, property insurance and cyber insurance do not compete with each other. They are intended to co-exist and work in tandem to cover different losses even if the different losses occur as a result of the same triggering event. Brokers and policyholders may want to consider purchasing property and cyber policies from the same carrier as a single insurer may be more likely to design separate policies to work together and avoid gaps.
Hostile Acts Exclusions
Just as the language of insurance policies has evolved to cover and adapt to today’s risks, the language of policy terms, conditions and exclusions has evolved. Likewise, because property policies and cyber policies are intended to cover different types of losses, the language of their exclusions can be different even where both types of policies have similarly titled exclusions. Beware of exclusion titles (official or otherwise) as they may be misleading.
For example, the Hostile Acts exclusion, which was originally (and sometimes still is) called a War Risks exclusion, has evolved since the early property policies. Many cyber policies also have a similarly named exclusion, but its terms are often different than those in the property policies.
The evolution of the Hostile Acts exclusion has received attention recently in the wake of the NotPetya cyberattacks in mid-2017 and the resulting insurance coverage disputes. NotPetya struck in June 2017, just before Constitution Day, when Ukraine celebrates its independence. Originally, NotPetya was an attack on the Ukrainian government and has been attributed to the Russian military. Indeed, the U.S. and U.K. governments were sufficiently convinced of its Russian military origin and intent that, in response to NotPetya, they have instituted sanctions against the Russian government and certain entities and individuals related to the Russian government. At first, experts thought NotPetya was a ransomware attack, but later the experts realized that, instead, the files infected with the NotPetya malware were not recoverable. NotPetya is a type of malware sometimes referred to a “wiper” because it destroys data. The experts concluded, therefore, that the developers of NotPetya were not financially motivated. Unfortunately, NotPetya spread from its original target to other computer systems across the world due to its indiscriminant design.
Among the high profile companies impacted by NotPetya were shipping giant Maersk, pharmaceutical maker Merck, and food conglomerate Mondelez International. In the case of Merck, it filed a lawsuit in New Jersey against dozens of its property insurers seeking coverage in connection with the attack. Merck had separate cyber coverage and the insurers that issued those cyber policies have been paying claims, but Merck is also seeking additional coverage under property policies. It is unclear whether Mondelez had cyber insurance to cover its losses, but it too sued its property insurer, Zurich American Insurance Company. Among other things, these policyholders are claiming business interruption damages as a result of NotPetya.
The defendant property policy insurers in both cases have a taken a consistent position – the losses sustained by the insureds are excluded under the property policies due to the Hostile Acts exclusion. (This is a position taken by insurers across the industry to these losses.) Much of the reporting on these coverage disputes has been sloppy and often outright inaccurate. For example, some outlets characterize the insurance coverage disputes as losses under cyber insurance even though the policies at issue are property policies.
As mentioned above, there is a common exclusion in most property policies, originally called the War Risks Exclusion. One fairly standard property policy excludes losses due to “war, including undeclared civil war.” See ISO CP 10 30 06 95 (1994). Other property policies have different language in their Hostile Acts exclusions. For example, another common policy provision reads:
“This policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this policy, contributing concurrently or in any other sequence to the loss:
hostile or warlike action in time of peace or war... by any:
(i) government or sovereign power (de jure or de facto);
(ii) military, naval, or air force; or
(iii) agent or authority of any party specified in i or ii above.
This exclusion is broader than what one might imagine, if only the title “War Risks exclusion” or “Hostile Acts exclusion” were considered.
Some have commented that the original War Risks exclusions were intended to apply only to armed physical conflicts. That is an accurate representation of the original intent, but the original exclusion’s intent is not the test when considering the meaning of the modern exclusion language. Just like the original property policies evolved to cover more risks than fire, exclusionary language has also evolved. The above-quoted exclusion is not limited to armed conflicts in a declared war zone. It does not depend on whether a single bullet was fired or that the loss occurred to an insured who was the target of the hostile action. Just like collateral damage in a conventional war would be excluded, damage caused to a business from indiscriminate malware targeting the Ukraine could very well be excluded. While the doctrine of “reasonable expectations” will likely be raised by policyholders, courts have consistently held that the doctrine of reasonable expectations does not give judges a license to rewrite the actual express terms of a policy.
These Hostile Acts/War Risks exclusions are common in property insurance and, indeed, they are necessary. The exclusions have been approved by regulators and upheld as valid by courts. Among other things, the Hostile Acts exclusion protects the financial health of insurers by preventing them from becoming responsible for the coverage of large, correlated risks that inflict abnormal, widespread losses. Correlated risks are those emanating from one source. And those kinds of risks require careful consideration because they destroy risk spreading and the law of averages used by insurers to properly predict and price risk. A well-planned cyberattack can strike the entire connected world and fits into the underlying concerns of correlated risks.
Cyber policies often have similarly titled Hostile Act exclusions, but the specific terms can be quite different from those in a property policy. Unlike property policies, there is no standardized cyber policy wording and, therefore, there is no standardized Hostile Acts exclusion. However, one major difference between the Hostile Acts or War Risks exclusions found in property and cyber policies is that the cyber policies typically do not extend to cyber terrorism and state-sponsored cyber attacks. That is, cyber policies will often have a War Risks exclusion, but there is an exception to the exclusion for cyberterrorism, i.e. losses from those causes may be covered. Moreover, some cyber policies’ “War Risks” exclusion will be limited to “kinetic” war. Again, distinguishable from the Hostile Acts exclusions discussed above.
Companies looking to protect against risks associated with our modern day technology, including malware originating from a nation-state actor towards another nation-state, should work with their risk managers and a trusted broker to understand their particular risks, which types of policies fit their needs, and they should not forgo purchasing cyber insurance based on a misplaced assumption that property insurance will cover their IT/cyber related loses.