Cyber and the War Exclusion

In 1915, Cuthbert Heath – pioneer of catastrophe insurance at Lloyds of London, decided to offer insurance policies to cover the impacts of war, far from the front line. Zeppelin airships were arriving over London during World War One, dropping bombs and incendiary devices. Later in the War, the bombs were being thrown out of Gotha biplanes.

Heath did some simple calculations: the number of Zeppelins, the frequency of attacks, the number of bombs each airship could carry, the damage area of an explosion, and how much of London was built up compared to open spaces. Having generated a risk cost estimate, he then multiplied it by six to arrive at his proposed rate for the insurance coverage. As the intensity of air attacks went up and down so his insurance prices followed.

Zeppelin L13 (pictured above) was involved in bombing raids over London in 1915. Image: Wikimedia Commons

For Heath, the damage from Zeppelin bombs was no different to the damage from the latest West Indies hurricane. There was a market for the coverage, damage to be compensated and recent historical information by which to assess the risk. This was how insurance should function when faced with a new threat. Calculate the risk cost, add some loading and offer the coverage.

The potential to offer Heath’s urban-bombing insurance product came to an end twenty years after he first introduced it. Following the intense bombing of cities in Ethiopia in March 1936 and Spain in November 1936, on December 4, 1936, a committee of officials from Lloyds met with the British Insurance Association to agree that all treaties renewing from the start of 1937 would exclude war and civil war from the standard terms of fire insurance coverage.

Yet the definition of what constituted war has continued to be tested.

On September 6, 1970, Pan Am Flight 93 was hijacked and flown to Beirut and then on to Cairo where the passengers were allowed to leave. The hijackers then destroyed the plane with explosives brought from Beirut.

Pan Am claimed for compensation for the lost plane under its “all risks” hull aviation insurance. Arguing the war exclusion clause, the aviation insurers refused to pay, so the airline made an application for payment from a separate war risk policy. The political risks insurers then argued that coverage was unavailable because the war exclusions should not have applied to the all risks policy. What had transpired, they argued, was not war. The situation went to litigation and the U.S. Court of Appeals agreed that “… war is a course of hostility engaged by entities that have at least significant attributes of sovereignty.” Therefore, the war exclusions did not apply.

This ruling meant there was no attempt to trigger the war exclusion to refuse insurance payments for the multiple impacts of the 2001 World Trade Center attacks. However, following the 9/11 attacks commercial insurers were quick to add new exclusions to fire policies concerning terrorism.

Now the definition of “entities that have at least significant attributes of sovereignty” has reopened in the world of cyber risk.

On June 27, 2017, the NotPetya malware worm software was launched through the update of free Ukrainian accounting software that was used by almost everyone who filed taxes in the country. The attack was disguised as ransomware but in fact had a function purely to sabotage any computer infected. In January 2018, the CIA identified the Russian military as the source of the attack, which was confirmed by British security services the following month.

NotPetya infection screen. Image credit: Wikimedia Commons

The malware spread to a number of major international companies – often with some connection back to Ukraine. Several of these companies had been slow to patch their systems for the previously identified Eternal Blue vulnerability in older Windows operating systems. Unlike explosives, physical separation offers no protection to the global traffic of the Internet.

Among these companies was Mondelez International Inc., a global food manufacturer with a portfolio of famous brands. Mondelez lost 1,700 servers and 24,000 laptops from the attack and made an insurance claim under its all risks property policy, understood to be in the region of US$100 million. In early October 2018, this claim was rejected by Zurich American on the grounds of the policy’s war exclusion. On October 10, 2018, Mondelez filed a lawsuit demanding that the policy should pay.

The policy issued to Mondelez International, had the following relevant exclusions:

1. B) This policy excludes loss or damage directly or indirectly caused by or resulting from any of the following, regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:

….

2) a hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any:

(i) government or sovereign power (de jure or de facto)

(ii) military, naval, or air force; or

(iii) agent or authority of any party specified in i) or ii) above.

The question of coverage is now the subject of litigation in Cook County, Illinois. Will the court agree that this was an attack from an agent of the Russian military, and hence was an act of war, or will they consider the attribution is too ambiguous?

A great deal hangs on the outcome of this case (and the inevitable appeal of the outcome). Will new political cyber risk coverages be required? Will it discourage companies believing they can sustain “silent” cyber coverage within the terms of a property policy?

Like NotPetya, the costliest future cyberattacks are likely to be state sponsored. These will only remain an insurable risk if the losses do not rise too high. In the aftermath of a cyber loss equivalent to 9/11, the insurance industry would cancel coverages and demand government-backed reinsurance – just like 2001. Would the security forces have to publicly identify the originators of each significant attack to determine whether the instigator had the “attributes of sovereignty”? Is Russia chastened or inspired by what happened with NotPetya?

What would Cuthbert Heath have done if he was underwriting in 2019? Calculate the risk cost and judiciously write the business as if this was 1915?  Or have we already reached the equivalent of the 1937 universal war exclusions?

Chief Research Officer, RMS

Robert Muir-Wood works to enhance approaches to natural catastrophe modeling, identify models for new areas of risk, and explore expanded applications for catastrophe modeling. Robert has more than 25 years of experience developing probabilistic catastrophe models. He was lead author for the 2007 IPCC Fourth Assessment Report and 2011 IPCC Special Report on Extremes, and is Chair of the OECD panel on the Financial Consequences of Large Scale Catastrophes.

He is the author of seven books, most recently: ‘The Cure for Catastrophe: How we can Stop Manufacturing Natural Disasters’. He has also written numerous research papers and articles in scientific and industry publications as well as frequent blogs. He holds a degree in natural sciences and a PhD both from Cambridge University and is a Visiting Professor at the Institute for Risk and Disaster Reduction at University College London.

Leave a Reply

Your email address will not be published.