The war exclusion has received a lot of attention over the past year, particularly since Russia invaded Ukraine in February. Policyholders’ concern that insurers will assert the exclusion as a basis to deny coverage is increasing in light of recent coverage litigation and the potential that cyberattacks emanating from Russia would have serious financial consequences. The war exclusion is in a moment of possible flux, as insurers consider changes that could increase its scope.

The exclusion has been common in property/casualty policies for decades and is also in almost every cyber insurance policy. It typically eliminates coverage for losses caused by “hostile or warlike action” from a nation state or its agencies, or by military forces. The war exclusion in cyber insurance policies often includes an exception that restores coverage for “cyberterrorism.”

Insurers have recently invoked the exclusion to attempt to avoid providing coverage for losses under property insurance policies arising from Russia’s 2017 NotPetya cyberattack against Ukraine. That attack spread beyond Ukraine’s borders and caused widespread damage to computer systems.

A New Jersey state court recently rejected an insurer’s reliance on a war exclusion in a property insurance policy, under which the insured had sought coverage for losses caused by the NotPetya cyberattack in Merck Co. Inc. et al. v. ACE American Insurance Co. et al.

Pharmaceutical giant Merck alleged that it suffered over $1.4 billion in losses because of the NotPetya attack, which it contends affected over 40,000 of its computers worldwide and hit its production. Insurers and reinsurers on its $1.75 billion property policies denied coverage for the losses based on the war exclusion, alleging that the attack was carried out by Russian agents intending to cripple Ukraine’s financial sector and then spread worldwide. They argued the attack was carried out while Russia and Ukraine were engaged in war, and as such, it was an act of war. Merck countered that the attack was a form of ransomware, which was not excluded by the policy. Although the United States and the United Kingdom accused Russia of being involved in the attack, the Russian government has called the accusation groundless.

The court agreed with Merck that the term “hostile or warlike action” means a traditional war between two or more nations involving “hostilities between armed forces.” The court also noted that “[n]o court has applied a war (or hostile acts) exclusion to anything close to” a malware attack. Ruling for Merck on a motion for partial summary judgment, the court concluded that the insurers did nothing to change the language of the exemption to reasonably put the insured on notice that they intended to exclude cyberattacks.

While Merck might be appealed, it raises the question of how courts will interpret war exclusions found in cyber insurance policies, which are expressly intended to cover losses resulting from cyberattacks. There is almost no case law on this topic. To date, cyber insurers have assured policyholders that they intend to narrowly construe the war exclusion, as they are required to do. However, Russia’s war against Ukraine may bring the issue to the fore if it leads to another event like NotPetya.

A few months before Russia invaded Ukraine, the Lloyd’s Market Association introduced four model clauses designed to exclude, to a greater or lesser extent, coverage for war risks from cyber policies.

Clause 1 is the most restrictive and would exclude losses directly or indirectly occasioned by, happening through, or in consequence of war or a cyber operation. “War” is defined as the use of physical force by a sovereign state against another sovereign state, and “cyber operation” is defined as the use of a computer system, by or on behalf of a sovereign state, to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another sovereign state. In other words, it purports to exclude coverage for losses “indirectly” caused by either a physical war or cyberattack “by or on behalf of” a sovereign state.

Clause 2 is the next most restrictive and would allow coverage, subject to sublimits, for losses due to cyber operations that: (1) are not retaliatory operations between China, France, Germany, Japan, Russia, the U.K., or the U.S.; and (2) do not have a “major detrimental impact” (not a defined term) on a sovereign state’s security, defense or essential services.

Clause 3 provides the same coverage as Clause 2, but without the sublimits.

Clause 4, which provides the most coverage, offers the same coverage as Clause 3 and also covers the effects on “bystanding cyber assets” — defined as a computer system used by the policyholder or its third-party service providers, that is not physically located in an impacted sovereign state but is affected by a cyber operation.

One aspect of all these exclusions that is particularly worrisome is that they would give the insurer the right to determine whether a cyber operation was “indirectly” carried out “by or on behalf of” a sovereign state. The language potentially could result in exclusion of coverage for attacks in which the victim was not the intended target and the actor merely claims to be acting for the benefit, or in support of, a state rather than being directed by the state.

The exclusions state that the primary factor the insurer will use in making this determination is whether the government of the sovereign state in which the affected computers are physically located attributes the cyber operation to another sovereign state or those working on its behalf, which is obviously subject to political pressures or whims. Prior to a state making such an attribution, the insurer may draw an “objectively reasonable” inference as to whether the cyber operation was carried out by or on behalf of a sovereign state.

As a result, whereas the law generally provides that exclusions are to be construed narrowly and the insurer has the burden to prove they apply, these changes would effectively reduce the insurer’s burden to drawing a mere “objectively reasonable inference” that the exclusion applies.

When the war exclusion was first developed, it was obvious which country fired the bullet or dropped the bomb that caused physical damage. These days, as revealed by LMA’s struggle to reduce the insurers’ burden of proof, it is often unknown who conducted the attack and/or what their motive was.

Questions of identity and motive are irrelevant to the cyber policy’s insuring agreement. The policies are supposed to pay for losses policyholders suffer as a result of a cyberattack, regardless of who did it and why. From a policyholder’s perspective, a ransomware attack launched by a group that claims to support Russia’s war in Ukraine is no different than an attack by a group that claims no affiliation or motive. In both cases, the policyholder must figure out how to unlock its machines and keep its business operating.

This was the animating rationale of Queen Insurance Company v. Globe & Rutgers Insurance Company, dating back to World War I. The case arose out of the collision of two merchant ships traveling at night without lights because of submarine attacks. The U.S. Supreme Court reasoned that the collision could have happened at any time, not just as a result of war, even though the ships were blind to each other because of prior submarine attacks. Subsequent cases have picked up on this rationale in rejecting insurers’ reliance on the war exclusion.

Such reasoning should have even more force today, when often the only known fact is that there was an attack, but the identity of the attackers and their motives remain shrouded in mystery or are at best uncertain. The policyholder’s experience of the attack and losses stemming from it will remain the same, whether the attack was done to support a war, merely conducted during a war, or was simply the work of thieves.

Tyler C. Gerking is a partner and member of the insurance recovery group at Farella Braun + Martel LLP in San Francisco. He can be reached at [email protected].