The Blame Game: Can Cyber Crimes Fall Under the War Exclusion?

We’ve all been cautioned not to click on unfamiliar links, to delete suspicious emails, and to otherwise safeguard against unknown hackers. Cyber attacks have risen in the past decade, developing into a trillion-dollar industry for cybercriminals that sat as the No. 1 global business risk for 2022.¹

As a result, cyber-specific insurance has become one of the fastest growing segments for U.S. property and casualty insurers. Traditional CGL and property policies have also seen a rise in cyber claims. But regardless of whether a policy affirmatively addresses cyber coverage, one issue to consider for any cyber claim is whether the attack arose out of a broader international dispute, and if so, whether the war exclusion may apply.

Historical War Exclusions

War exclusions in insurance policies are not novel. For example, ISO’s Commercial Property Causes of Loss forms have long included an exclusion for war, military action, and government action.² Such form language can exclude coverage for physical loss or damage directly resulting from “warlike action” by a government or sovereign nation “using military personnel or other agents.”³ Other similar exclusions may reference “hostile or warlike action” by a government, sovereign, or “agent” of the same.⁴

Often, war exclusions will turn on whether the act can be attributed to a government or sovereign state. If so, it is much easier to designate the act as one of war. But unlike traditional warfare, where the disputing parties are named in headlines worldwide, hackers and cybercriminals make their living by remaining undercover. Cyberattacks can be next to impossible to attribute to anyone with complete certainty—particularly so for the most sophisticated (and costly) schemes.
So, what happens if a cyberattack accompanies an act of physical war? Or if a government sanctions or authorizes attacks by hackers supporting or opposing an ongoing war? Does this constitute “warlike action”?  Most war exclusions haven’t been updated to specifically address cybercrimes, so the answer is every attorney’s favorite: it depends.

The Merck Dilemma

One court has actually addressed the issue of whether a war exclusion applies to a cyberattack. In Merck v. Ace American, the insured made a claim to its property insurer for an estimated $1.4 billion in losses after the costly NotPetya cyberattack invaded its computer systems.⁵ The NotPetya malware, unleashed on the eve of Ukraine’s “Constitution Day,” infected and locked systems worldwide because of malicious code that infiltrated through accounting software. It also knocked out Ukraine’s energy grid. Merck’s insurers argued the war exclusion applied because the U.S. and other western nations all attributed NotPetya to Russia’s campaign against Ukraine. But the New Jersey Superior Court declined to apply the war exclusion, finding it had been historically applied only to physical acts of war. In doing so, the court did not consider whether NotPetya was the result of Russian action or otherwise related to the war. On May 1, 2023, the New Jersey appellate court affirmed, finding the exclusion did not apply and the insurers had not shown NotPetya was a “hostile” or “warlike” action as contemplated by the war exclusion, “regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’”⁶ It remains to be seen whether the Merck defendants will appeal to the New Jersey Supreme Court.

Notwithstanding the current posture of Merck, the applicability of the war exclusion is far from resolved. Ultimately, that issue could hinge on whether a government or sovereign nation bears responsibility for the attack—and whether the insurer can prove it.

Who’s to blame?

If applying the war exclusion to a cyberattack does come down to identifying the actor behind it, how can that be proven?

For widespread attacks, government agencies may investigate and, ultimately, point fingers. Following NotPetya, the U.S., U.K., Canada and Australia all officially blamed Russia.⁷ Six Russian intelligence officers were charged.⁸ But although Russia’s fault was widely accepted by western nations, the technical evidence supporting these conclusions will likely never be publicly available for use by private litigants. And it is highly unlikely the CIA, the NSA, or the like will testify about their findings. Similarly, a third-party subpoena to the suspected government isn’t a real possibility either. For its part, the Kremlin denied the NotPetya accusations, calling them “unsubstantiated and groundless” and part of a “Russophobic campaign.”⁹

But even governmental determinations of fault aren’t foolproof. Political pressures may dictate who is publicly blamed, particularly when one government may not be willing to publicly blame another. Or, a country may be incentivized to blame another to exaggerate its ability to identify attackers as a deterrent against future attacks. 

Even if the attackers can be narrowed down to one country, there is the added hurdle of establishing that the attack was executed by (or on behalf of) the government, as opposed to a private vigilante citizen. Cyberattacks executed on behalf of the state but without the state’s knowledge likely wouldn’t be characterized as state action or act of war. But it may prove difficult for certain nations to play dumb: since the dispute between Russia and Ukraine began, both sides reportedly have recruited cyber actors to hack their adversaries.¹⁰

Looking Forward

Although the future of court rulings on specific war exclusions is up in the air, changes to exclusionary language can be made now to attempt to address these uncertainties. For non-cyber policies not intended to provide cyber coverage, a broad cyber exclusion could resolve the issue. In policies providing cyber coverage, modernized war exclusions can specifically address cyberattacks. For instance, Lloyd’s Market Association did just that in November 2021, by publishing four new model war exclusion clauses for cyberinsurance policies.¹¹ All four model clauses state that the “primary but not exclusive factor” when determining attribution would be based on whether the government of the jurisdiction where the cyberattack occurred has attributed the event to another country.

At the end of the day, until cyber crimes are more commonly addressed in exclusionary language, courts across the county will inevitably continue to face an influx of lawsuits concerning the applicability of war exclusions to cyberattacks.