Today’s political climate is rife with reminders about the importance of data privacy and cybersecurity. According to the World Economic Forum’s 2017 Global Risks Report, the greatest technological risks facing the world include large-scale cyberattacks and massive incidents of data fraud and data theft. And it’s no secret that companies can lose millions of dollars, and the loyalty of their customers, when their data is stolen. It is thus increasingly important for companies, large and small, to obtain adequate insurance coverage to protect against these risks. But are all cyberattacks covered under your policy, and what happens if a cyberattack is considered an act of war? The answers depend, and they could make the difference in your company’s survival.
Most companies today maintain Commercial General Liability (“CGL”) coverage, which protects your business from financial loss, broadly providing defense and indemnity coverage for claims of bodily injury and property damage. But whether your CGL policy will protect your business from cyberattacks and data theft is not always clear. In addition to it depending largely upon the facts of the case, state courts addressing the issue have been inconsistent. While some courts have found that coverage exists (see e.g., Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 644 Fed. Appx. 245 (4th Cir. 2016) (discussed further here); Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010)), others have denied claims for data breach under CGL policies (see e.g., Zurich American Insurance Co. v. Sony Corp. of America, No. 651982/2011 (N.Y. Sup. Ct. Feb. 24, 2014); Recall Total Info. Mgmt. v. Fed. Ins. Co., 147 Conn. App. 450 (Conn. App. Ct. 2014)). Given this jurisdictional uncertainty—and the fact that the standard CGL ISO policy form and many CGL polices in general have been amended in recent years to contain exclusions for data breaches and cyberattacks—many companies have fittingly turned to specific cyber liability coverage to fill the gaps. Cyber liability policies, also referred to as “cyber risk,” “information security,” and “privacy” policies, typically cover a variety of liability and property losses that may result when a business engages in electronic activities, such as selling on the Internet or collecting data within its internal electronic network. Most cyber liability policies offer some combination of traditional liability coverage protecting against claims by third parties, and first-party coverage protecting against losses suffered by the insured. Such policies are commonly used to cover a business’s liability for a data breach in which customers’ personal information is exposed or stolen.
Unfortunately, cyber policies often feature various broadly worded exclusions that can limit or preclude coverage. Some commentators have suggested that the so-called war risk exclusion might be a viable means for insurers to exclude coverage for cyber risks. Both CGL policies and cyber liability policies generally exclude coverage for “acts of war” or “warlike activity.” Whether or not a particular cyberattack or data breach is considered an act of war is critical to whether the exclusion applies. The problem is that there is no universal definition of war, let alone agreement on what constitutes an act of war in the cyber context. Different government entities and different insurance carriers define war in different ways. And while the language in CGL policies is more uniform, there is no standard form on which the insurance industry as a whole underwrites cyber coverage. Cyber insurance is still in its relative infancy, and the language contained in cyber policies thus tends to vary significantly.
Moreover, insurers always have the burden to prove the application of an exclusion. The war risk exclusion presents insurers with a particularly formidable evidentiary challenge in the cyber context. Courts have traditionally interpreted the war exclusion narrowly, defining “war” as a physical event involving two sovereigns or quasi-sovereign governmental entities. Thus, without direct involvement by a sovereign state, the war exclusion would generally not bar coverage. See Pan Am. World Airways, Inc. v. Aetna Cas. & Surety Co., 505 F.2d 989 (2d Cir. 1974). But whether or not a particular cyberattack is state-sponsored is not always easy to determine. While the media is often filled with headlines of China, North Korea, and Russia emerging as threats to our nation’s cybersecurity, the origin of a data breach or cyberattack may not be readily apparent (and could take years to realize and uncover), making it equally difficult to determine whether an attack was state-sponsored, and therefore excluded. The shadowy nature of cyber incidents is problematic for insurers even though some courts have suggested that wars are not always fought between structured “armies in contrasting uniforms confronting each other on battlefields,” rather, they can “persist for years, fought by irregular, insurgent forces capable of causing extraordinary damage.” In re Sept. 11 Litig., 931 F. Supp. 2d 496, 511 (S.D.N.Y. 2013) (loosening the act of war exclusion to extend to claims arising out of 9/11, and distinguishing the Pan Am precedent requiring a state actor to conduct war).
Although any insurer seeking to rely on the war exclusion to preclude coverage for cyber risks faces an uphill climb, it is nevertheless important for policyholders to be mindful of applicable policy terms, conditions, and exclusions. All exclusions are not created equally, and because there is no definitive answer regarding when a cyberattack may be considered an act of war thereby excluding coverage, companies should in an abundance of caution resist the inclusion of such boilerplate exclusions, and instead negotiate the specific inclusion of cyberwar and terrorism coverage to ensure that a broad range of events will be covered regardless of motive or origin.
Unfortunately almost every organization that uses technology to do business today faces some level of cyber risk. Cyberattacks and data breaches are a fact of life, increasing in both frequency and severity, and companies would be wise to ensure that their policies provide adequate protection against the risks they face. Of course, carefully reviewing your policies’ terms, conditions, and exclusions will also ensure that when facing a potential coverage dispute, “[i]f you know the enemy and know yourself, you need not fear the result of a hundred battles.” Sun Tzu, The Art of War.