PerspectiveA Federal Backstop for Insuring Against Cyberattacks?
The effects of warfare can be felt well beyond the battlefield. Businesses are interrupted, property damaged, lives lost—and those at risk often seek to protect themselves through insurance. The premiums that insurers charge, however, rarely account for the immense destructive capacity of modern militaries, making wartime claims a potentially existential threat to their fiscal solvency. For this reason, insurance policies routinely exclude “acts of war” from their coverage, leaving it to governmental authorities to decide whether to compensate the victims of such acts while focusing the insurance sector on other, more conventional risks. But what happens when the battlefield moves into cyberspace?
The effects of warfare can be felt well beyond the battlefield. Businesses are interrupted, property damaged, lives lost—and those at risk often seek to protect themselves through insurance. The premiums that insurers charge, however, rarely account for the immense destructive capacity of modern militaries, making wartime claims a potentially existential threat to their fiscal solvency. Scott R. Anderson and Aaron Klein write in Lawfare that for this reason, insurance policies routinely exclude “acts of war” from their coverage, leaving it to governmental authorities to decide whether to compensate the victims of such acts while focusing the insurance sector on other, more conventional risks. But what happens when the battlefield moves into cyberspace?
In 2017, the NotPetya cyberattack alone caused an estimated $10 billion of damage worldwide, including $100 million of damage to Mondelez International, a global food conglomerate. “But when Mondelez filed a claim for those damages, its insurer, Zurich International, denied them on the grounds that NotPetya was a ‘hostile or warlike action’ by a ‘government or sovereign power’ and thus excluded from the policy’s scope under its act of war exclusion,” Anderson and Klein write. “Mondelez responded by suing for breach of contract, putting it to the Illinois state courts to decide who committed this complex cyberattack and why. Hanging in the balance is not only Mondelez’s claim, but the extent to which the insurance industry can and will provide coverage for various major cybersecurity incidents—an issue of increasing significance to the entire U.S. economy.”
Anderson and Klein add:
The United States faced similar dynamics after the Sept. 11 attacks as the insurance industry wrestled with how to cover damages from catastrophic terrorism. A bipartisan Congress ultimately stepped in, creating a federal backstop for insurers facing such claims while foregoing the use of the act of war and other exclusions. That law, the Terrorism Risk Insurance Act (TRIA), has ensured the availability of terrorism-related insurance coverage while providing the private insurance industry with certainty regarding the outer limits of the financial risks it is undertaking. As Congress weighs renewing TRIA, which expires at the end of 2020, it should seriously consider whether the federal government should play a similar role in stabilizing the insurance industry’s approach to cyberattacks, thereby ensuring substantial coverage before a major cyberattack forces the question.
