ARGUMENT: Cyber insuranceWar, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions

Published 6 October 2020

Insurance is one of the most promising tools for addressing pervasive cyber insecurity. A robust market for insuring cyber incidents could, among other things, financially incentivize organizations to adopt better cyber hygiene—thereby reducing cyber risk for society as a whole. But cyber insurance, however, is not yet mature enough to fulfill its potential, Jon Bateman writes, and endless lawsuits hamper its effectiveness. Reforms and new solutions are sorely needed.

Insurance is one of the most promising tools for addressing pervasive cyber insecurity. A robust market for insuring cyber incidents could, among other things, financially incentivize organizations to adopt better cyber hygiene—thereby reducing cyber risk for society as a whole.

Jon Bateman writes for the Carnegie Endowment that cyber insurance, however, is not yet mature enough to fulfill its potential, partly due to uncertainty about what kinds of cyber risks are, or can be, insured.

He adds:

Uncertainties in cyber insurance came to a head in 2017, when the Russian government conducted a cyber attack of unprecedented scale. Data-destroying malware called NotPetya infected hundreds of organizations in dozens of countries, including major multinational companies, causing an estimated $10 billion in losses.1 NotPetya showed that cyber risk was greater than previously recognized, with higher potential for “aggregation”—the accumulation of losses across many insurance policies from a single incident or several correlated events.

NotPetya also exposed a serious ambiguity in how insurance policies treat state-sponsored cyber incidents. Some property and casualty insurers declined to pay NotPetya-related claims, instead invoking their war exclusions—long-standing clauses that deny coverage for “hostile or warlike action in time of peace and war” perpetrated by states or their agents.2 War exclusions date back to the 1700s, but they had never before been applied to cyber incidents.

This novel use of the war exclusion, still being litigated, has raised doubts about whether adequate or reliable coverage exists for state-sponsored cyber incidents. Some observers have asked whether such incidents are insurable at all, given the potential for aggregated cyber losses even more catastrophic than those of NotPetya.3 And while the war exclusion has attracted the most attention, another exclusion—for terrorism—presents similar challenges to cyber claims.

He concludes:

Three years after NotPetya, it is still unclear how insurance can or should cover state-sponsored cyber incidents and other large-scale cyber risk. This fundamental uncertainty continues to inhibit the development of robust, socially beneficial cyber insurance markets. New frameworks are needed. Developing and implementing these frameworks requires laying a strong intellectual foundation, bringing more stakeholders into the conversation, and publicly airing fresh ideas to stimulate critique and debate.