London market insurers are working to clarify the war exclusions in cyber insurance policies amid concerns about an increase in state-sponsored cyberattacks.

While progress is being made, there is little consensus on what constitutes modern-day war, and insurers are trying to strike the difficult balance between providing sufficient cover and avoiding financial ruin.

Clause of confusion

The push to clarify cyber war exclusions came largely from the court battles between companies and their insurers over denied claims from the 2017 NotPetya ransomware attack, which several governments have alleged was carried out by Russia. In one well-publicized case, Zurich Insurance Group AG is relying on a war exclusion to avoid paying for damage that U.S. food conglomerate Mondelez suffered because of NotPetya.

These disputes center on claims brought under property policies, and many cyber insurance practitioners argue that specific cyber policies should, and have, paid out NotPetya claims. However, some believe there should be no confusion.

Tom Reagan, U.S. cyber practice leader at Marsh & McLennan Cos. Inc.-owned insurance broker Marsh, said via email that there had already been "considerable misinformed debate" about whether certain cyberattacks would have triggered cyber policies' war exclusions. He added: "Marsh is not aware of any cyber event yet that should qualify as an 'act of war' for purposes of a war exclusion."

Even so, insurance buyers have become wary. Camilla Walker, cyber underwriter at Lloyd's of London insurer Canopius, said in an interview that NotPetya "has caused insureds to really ask the question as to what sort of attack would be covered under a cyber insurance policy."

The issue has become more urgent because of concerns about increasing state-sponsored cyberattacks amid rising tensions between Iran and the U.S.

War exclusions' general purpose is to protect the insurance industry's solvency. A big threat is aggregation — that an event triggers many claims across a wide range of policy types at the same time. Given its highly destructive and destabilizing nature, acts of war are therefore excluded from most standard policies, including cyber covers.

Non-marine war exclusions at Lloyd's are largely derived from NMA 464, a pre-World War II exclusion written in response to the Spanish Civil War, according to the U.K.'s Chartered Insurance Institute. Not only does this old wording fail to account for modern methods of warfare, but it is also "incredibly broad," according to Walker. The NMA 464 wording excludes, for example, loss or damage from "acts of foreign enemies" and "hostilities (whether war be declared or not)."

For the past three to five years, Walker said in an interview, the cyber insurance market's solution has been to use a so-called carve-back — language that reintroduces elements of cover struck out by an exclusion — for cyber terrorism. She added that NotPetya "has led to brokers pushing for insurers to include state-sponsored attacks" within the cyber terrorism carve-back.

William Wright, partner at Paragon International Insurance Brokers, said his company tries to ensure that in addition to a clear war exclusion, a cyber-terrorism carve-back is in place to ensure there is cover for events where war has not been declared or an attack cannot be attributed.

But although helpful, the carve-back still leaves room for interpretation, Walker said. "The best we can say as at today to a client is: 'The intent is to cover state-sponsored attacks, until they become war.'"

Something for everyone

The problem is defining the line where covered state-sponsored cyberattacks end and uninsurable cyber war begins. Walker said she did not think there was a market consensus, and recalled that when she asked some non-cyber terrorism underwriters, "they struggled to answer when terrorism would become war in the modern world."

The Cyber Business Panel of the Lloyd's Market Association, or LMA, a body representing Lloyd's underwriters, is working on clarifying the cyber war exclusion used in the Lloyd's market. Matthew Webb, the panel's chair and a cyber line underwriter at Lloyd's insurer Hiscox Ltd., said the cut-off point for coverage is when a claim could threaten the industry's solvency, but although insurers can quantify that, the challenge is capturing it in policy wording.

He said in an interview that one approach the panel is considering is introducing thresholds beyond which a particular scenario would be uninsurable. He added that the thresholds were scenario-based rather than financial, but that it was too soon to give precise details.

Work on the exclusion was in its "latter stages" but a broad consensus is being sought, he said. "We have got an opportunity here to make a fairly big change to what we're doing, and we need to get it right."

Canopius' Walker said that while she did not think anyone would view the LMA's proposed approach as a perfect solution, "it is a lot better than where we are at currently."

In addition, despite the natural tension between brokers, who are paid to push for as much coverage as possible, and underwriters, who need to protect their companies' capital, the market is of broadly the same mind.

"It feels like everybody is pulling in the right direction," said Paragon's Wright, while adding that it was a complicated area and "I don't envy the insurers sitting on the LMA panel having to try and come up with something that works for everybody."