As a result of the Ukraine war, a massive row is brewing between insurance companies and an important group of customers. Most companies want to refuse payment in the event of cyber attacks by Russian or Ukrainian hackers on industrial and service companies – because these are acts of war that are excluded from protection according to insurance conditions.
The industry and its big brokers are met with a lack of understanding. “If hackers from these two countries want to blackmail companies and only release data again after the ransom has been paid, that is not an act of war per se, the exclusion of war does not apply,” says Essen-based insurance broker Sven Erichsen, who specializes in cyber insurance. “It could at best be that an affected company that wants to pay the ransom would have problems transmitting the money because of the sanctions.”
Erichsen expects major disputes. “With every exclusion, the insurer bears the burden of proof, which means he has to prove that it was part of a military conflict.” But this would not be easy.
Lloyd’s of London is a pioneer among insurers. Even before the war, the insurance market had decided to exclude all state-controlled cyber attacks from cover, not just in the event of war. German companies and those in other EU countries usually follow the British on such issues. Acts of war have not been covered in their policies to date.
This creates a difficult situation for the industry. Industrial insurers such as Allianz Global Corporate & Specialty (AGCS), AIG, HDI and Zurich have recently excluded all cyber damage from their usual fire and liability covers. The customer should please take out separate cyber cover. But this cover is now hard to come by and has become very expensive. Now there is also the possibility of being excluded from the war.
The consequences are serious. A cyber attack can start a fire because alarm programs don’t work, can cause a business interruption or even lead to product contamination – for which the manufacturer has to pay compensation. It’s about billions. If the insurers got away with the fact that the attack was a war, the injured company would not receive a penny in damages.
So far, the expected large wave of cyber attacks as a result of the war has not materialized. The authorities speak of an “abstract increased threat” for Germany. “Currently, however, there is no acute immediate threat to information security for companies in Germany in connection with the situation in Ukraine,” reports the Federal Office for Information Security (BSI) in Bonn. “Since the start of the Russian attack on Ukraine, there have been few unrelated IT security incidents in Germany, but these have only had isolated effects.”
The attempt by insurers to bring up the risk of war in the event of cyber attacks is nothing new. The US pharmaceutical manufacturer Merck recently had to sue a consortium led by the US company Chubb. The companies did not want to pay for the more than $1.4 billion in damage that Merck suffered from an attack with the Notpetya malware in the summer of 2017, citing the exclusion from the war.
Here, too, it was about Ukraine and Russia. After an investigation into the Notpetya attack, US authorities concluded that it was an attack ordered by the Russian military against Ukraine that had gotten out of control.
But in this case, the insurance customer Merck prevailed. In a preliminary partial ruling, the US judges found that the war ban applies only to physical acts of war and not to malware attacks.
Even now, after the outbreak of the current war, the invocation of war exclusions for insurers will not be a sure-fire success. “A Western insurance customer could potentially argue that there has been a war, but not in the jurisdiction in which they reside,” said Paul Malek, cyber expert at law firm Clyde & Co.
The primary purpose of the war exclusion is to protect insurers from massive cyber damage in the countries involved in the war. A Western company that was accidentally affected would therefore not be part of this risk of major damage, it would be collateral damage.
“Another challenge when invoking the war exclusion is that the insurer has to prove that the malware used was a state-controlled attack,” said Malek. However, it will be difficult for insurers to prove this – especially since many semi-public and private actors such as Anonymous are involved in the cyber war.
Broker Erichsen sees it the same way. He can only imagine one case in which the war exclusion applies: “If Putin or a member of the Russian government were to publicly declare that we initiated this attack on the public utility company or Telekom to show you what is possible, then it would be That’s probably a case for exclusion from the war.”
However, the fact that it is becoming complicated to enforce the exclusion will not prevent insurers from trying. This will keep the courts busy for a long time, very likely well after the end of the war.