Debate rages over whether a cyber attack is an act of war

Can a cyber attack be considered an act of war?

That issue came to light in October of 2018 when international food and beverage company Mondelez International sued its insurer Zurich American Insurance Company for declining coverage to Mondelez following the NotPetya cyber attack. Mondelez had an all-risk property insurance policy, but Zurich denied the claim, invoking the policy’s “hostile or warlike act” exclusion. The case remains before the courts.

More recently, London, UK-headquartered multinational law firm DLA Piper was in a dispute with its insurer, Hiscox. Initial media reports last month said that the claim also related to the NotPetya cyber attack and the insurer was reportedly citing a war exclusion as reason for non-payment, however the insurer later said it was a dispute over the “right cover” and not related to the war exclusion.

“Both of those policies that are in dispute I would say right now are actually property policies,” said Kelly Castriotta, deputy product development leader of Allianz Global Corporate & Specialty’s (AGCS) North American region. “But I think underlying that… is really a conversation about silent cyber.”

Castriotta defines silent cyber as when a loss event is caused by a cyber peril that was not contemplated by either the insurance carrier or policyholder, or both. She spoke to Canadian Underwriter last week about the topic, and was a speaker at NetDiligence’s Cyber Risk Summit in Toronto on Apr. 4, where she was on the panel Quantifying Silent Cyber Risk.

Castriotta was asked about whether she has seen any case law on silent cyber. “At this point, there’s nothing I know of where a court has sort of addressed this concept of silent cyber head-on and obviously we’ll see what comes out of the dispute with the war exclusion because maybe a court will take it that way.”

That said, regulatory agencies have started taking a look at the issue. For example, in 2017, the UK’s Prudential Regulation Authority released some statements regarding the expectation for silent cyber and that cyber risk needs to be quantified and identified in all lines of insurance, Castriotta said. “A lot of these traditional policies have been developed a long time ago before we were living in a fully digitized world and before the concept of cyber was so ingrained and embedded as a risk factor for our customers.”

Allianz is currently going through all of its products across all lines and updating policy wordings to address cyber risk expressly and explicitly, Castriotta reported. For example, for financial lines specifically, “we are adding a disclosure statement saying that cyber perils are covered. Then when we underwrite this specific risk, if we feel for any reason that we cannot pick up the associated cyber risk, we will explicitly say that. But the default position is just to clearly state that we are picking it up as a peril.”

The insurer’s products will also be customized and tailored to specific needs, which could include cyber endorsements. Globally, new policy wordings have been implemented as of this year. “In North America, it is happening this quarter, where all new accounts will have updated wording and renewal accounts to the extent that we are permitted to do so by law,” Castriotta said.

“One of the challenges internally is to make sure that when we’re including this language, the underwriting staff understands cyber risk,” she said. “That’s the end goal – to have everybody in the company be absolutely able to understand and address cyber risk. It’s an evolving process, it’s a training process and it’s a wording process.”