Cyber risk poses ongoing challenge for first-party property damage lines of business

“Silent cyber,” otherwise known as non-affirmative cyber, describes cyber risk that is neither expressly included nor excluded in insurance policies. Silent cyber has emerged as one of the hot topics for both insurers and policyholders across almost all lines of business, including the property market. This is primarily due to three related factors:

1. 01

   Cyber exclusions used in first-party property damage policies are increasingly unfit for purpose as cyber exposures continue to evolve.

2. 02

   A series of widely publicized cyber incidents has placed a spotlight on the scope of cyber cover in property policies.

3. 03

   Insurers face toughened regulatory requirements to manage their silent cyber exposure in the insurance policies they issue.

The birth of the cyber exclusion

Y2K’s “millennium bug”

As the new Millennium approached, there were widespread reports of the potential inability of computer systems to distinguish between the 1900s and the 2000s. Media coverage of a hypothetical “millennium bug” depicted a world of bank and power plant failures, and even of airplanes falling out of the sky. Some insurers went as far as adding Y2K exclusions to their policies. Other entrepreneurial insurers offered Y2K cover, a type of contingency insurance policy, for any losses should the worst happen.

Ultimately, Y2K proved to be something of a non-event. What Y2K did achieve, however, was to bring into focus the world’s increased reliance on technology and the potential financial implications should such technology fail. Perhaps, even more importantly from an insurance perspective, it raised a question of where liability would fall in an organization’s insurance program for any losses arising out of computer system malfunctions.

The NMA 2914 and 2915

In 2001, Lloyd’s Underwriters’ Non-Marine Association, based in London, created two related exclusions that are known in insurance industry shorthand as ‘NMA 2914’ and ‘NMA 2915’, but whose full titles are the ‘Electronic Data Endorsement A’ and the ‘Electronic Data Endorsement B’. Both exclusions commonly exclude (1) “loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA” and (2) “any loss of use, reduction in functionality, cost, expense of whatsoever nature resulting therefrom ….”¹ Both the NMA 2914 and the NMA 2915 do, however, carve back cover for physical damage to property where such loss, damage, etc. to electronic data result in fire or explosion.²

There are, perhaps, three notable features of the NMA 2914 and NMA 2915:

• The exclusions are silent on the cause of the loss or damage to electronic data, the clear inference being that the exclusion applies to both malicious attacks (i.e. a cyber-attack) and non-malicious acts (e.g. negligence).
• The carve backs for listed perils are for physical damage only; i.e., the carve backs are silent on the scope of cover for any ensuing business interruption loss.
• For the exclusions to apply, there must be a change in the state of the electronic data i.e. if the electronic data is merely accessed but not altered in anyway, it is arguable the exclusion does not apply.

Most crucially, therefore, from a silent cyber perspective, is the NMA 2914 and NMA 2915’s silence on whether the carve back for property damage extends to business interruption loss.

The NMA 2914 and NMA 2915 were quickly adopted by property insurers amid speculation that reinsurers of direct property insurers would use one of the exclusions in their reinsurance programs.³ In any case, 17 years later, these exclusions (and variations thereof) continue to be the accepted cyber exclusions for property insurers.

The CL380

In 2003, two years after the NMA 2914 and 2915 first appeared, the Institute Cyber Attack Exclusion Clause, more commonly known as the CL380, was released. The CL380 excludes any loss, damage, liability or expense “contributed to by [sic] or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer code, computer virus or process or any other electronic system.” In other words, its overarching intent is to exclude losses arising from the peril of “malicious attacks” against computer systems. In contrast, the NMA 2914 and NMA 2915 exclusions are triggered by an outcome i.e. loss or damage to electronic data, regardless of the cause or ‘peril’.

The CL380 exclusion was quickly adopted by insurers of marine insurance contracts. An early misconception, which continues to this day, is that the CL380 is a blanket cyber exclusion that excludes all cyber-related losses. This, of course, is incorrect. The CL380 does not expressly exclude the peril of non-malicious acts, e.g. an operator who negligently causes a computer network outage while working on a server, or a more straightforward system malfunction. The CL380 is, however, framed in extremely broad terms insofar as it applies whether the cyber-attack is “directly or indirectly caused by or contributed to by or arising from” such event. Therefore, unlike the usual position that insurers must prove that the cyber-attack is the proximate cause of the loss, if it can be proven the cyber-attack was a remote cause of the loss, that, on the face of it, would be sufficient.

The key issue, therefore, with the CL380 from a silent cyber perspective is that the exclusion is silent on losses that arise from non-malicious acts on computer systems, including any malfunction.⁴

Non-affirmative cyber

Numerous other cyber exclusions can be found in insurance policies, although the NMA 2914 and NMA 2915 together with the CL380 are arguably the most commonly used exclusions for insurance policies underwritten in the London insurance market. The breadth of the NMA 2914 and NMA 2915 in particular has undoubtedly contributed to the emergence of standalone cyber insurance to fill the gap in cover.

The dominance of computer systems as a way of facilitating business has changed dramatically since these exclusions were drafted nearly 20 years ago. Also, the threats against these systems have evolved exponentially. As our understanding of cyber risk has improved due to the volume of publicized incidents and an increase in insurance claims activity, questions have emerged about whether the NMA 2914, NMA 2915 and the CL380 provide sufficient clarity for policyholders on precisely what cyber risk is being excluded from their property policies.

Surprisingly, perhaps, there has been limited judicial intervention concerning the interpretation of these cyber exclusions (although the popularity of private arbitration as a mechanism for resolving disputes might offer an explanation). Arguably, the two most notable lawsuits in recent years testing the scope of cyber cover under property policies do not require the Courts to opine of any of the aforementioned cyber exclusions -- or any cyber exclusion for that matter. Instead, the Courts are being asked to consider the application of the war exclusion, albeit through the lens of alleged cyberwarfare activity.

The Merck and Mondelez lawsuits

The NotPetya cyber-attack in 2017 proved to be something of a watershed moment for the insurance industry. The scale of the collateral damage that stemmed from the attack and the volume of claims that were made in the wake of the incident were unprecedented. It is perhaps the nearest the insurance market has come so far to witnessing a cyber catastrophe loss.

Merck & Co. and Mondelez International Inc. were two of the many organizations affected by NotPetya, a form of “wiper” malware designed to cripple computer networks. NotPetya was able to access networks through a legitimate but corrupted update for tax software developed by a small company in Ukraine.

Once the malware gained access to the network, it crashed computers by encrypting the hard drives. In the worst cases, business activities ground to a halt when, amongst other things, employees were unable to access email and electronic files.

In a subsequent Circuit Court of Illinois filing, Mondelez said that 1,700 of its servers and 24,000 laptops were left permanently dysfunctional as a result of the incident, putting its losses in excess of $100 million (U.S.). This figure includes, amongst other losses, property damage, commercial supply and distribution disruptions, unfilled customer orders and reduced margins.

Merck’s account is equally harrowing. The attack is reported to have demobilized 30,000 laptops and desktops while 7,500 servers were affected. According to its latest annual report from February 2019, Merck says it lost $260 million (U.S.) in 2017 due to unfulfilled orders following the cyber-attack. In addition, Merck says it incurred $285 million (U.S.) in expenses to remediate the impact of the incident and a further $150 million (U.S.) in 2018 as sales continued to be affected. This amounts to a combined loss of $685 million (U.S.).

Both Merck and Mondelez notified their property insurers of the NotPetya event. In the case of Mondelez, the company had a property insurance policy issued by Zurich Insurance Group. The property policy included cover for physical loss or damage to property, which in turn included electronic data, programs or software even where caused by the malicious introduction of a machine code or instruction. Notably, this is a property policy that, contrary to being silent on property damage caused by a malicious attack, provides affirmative cover where caused by such peril. ⁵

Both Merck’s and Mondelez’s insurers ultimately denied cover under the respective property policies solely on the basis of the “war” exclusion. The exclusion in Mondelez’s property policy stated:

"B. This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss: …

(2)(a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any:

(i) government or sovereign power (de jure or de facto);
(ii) military, naval, or air force; or
(iii) agent or authority of any party specified in i or ii above.”

Both Merck and Mondelez have commenced proceedings against their respective property insurers. The Court decisions are pending. While the merits of the Merck and Mondelez lawsuits are outside the scope of this paper, their respective insurers’ interpretations of the war exclusion appear to be broadly similar, i.e. NotPetya was a “hostile or warlike action.” In the absence of any definitions for “hostile or warlike actions” in the policy, the respective Courts in Merck and Mondelez will be tasked with providing a judicial interpretation.

The grounds that have been advanced in support of the respective decisions to decline Merck’s and Mondelez’s claims is not an example of silent cyber at work in its truest sense. As noted above, Mondelez’s property policy, for example, included affirmative cover for property damage arising from a malicious attack.⁶ The reliance on the war exclusion does, however, illustrate how cyber risk can be interpreted through the lens of wider terms and conditions within an insurance policy in a way that may not have been foreseen by policyholders, giving rise to the very uncertainty that is associated with silent cyber.

A divergence may have emerged in recent years between how the property market and the cyber market cover cyber risk. This can be seen through the evolution of the war and terrorism exclusions, common to both property and cyber polices. It is a safe starting position to assert that both property and cyber insurers have very limited or no appetite for war losses and therefore ordinarily exclude such losses. In the absence of any definition of “war” or “hostile or warlike actions” within the policy, which is the usual position, the challenge is determining what is meant by these terms⁷. On the basis of various definitions given for ‘war’ in the most authoritative dictionaries⁸, any conflict between two nation states, including via the deployment of cyber-attacks, is likely to lead to insurers looking very carefully at the application of the war exclusion.

Similarly, both property and cyber policies ordinarily exclude losses arising from terrorism. So, what are the differences between the property and cyber market’s respective approaches to war and terrorism? There is evidence to suggest two significant trends have emerged in the cyber market that could have had material consequences on coverage.

First, it is now commonplace to find a carve back to the terrorism exclusion in cyber policies for losses arising out of cyber terrorism. In contrast, it would appear the property market does not generally provide affirmative cover for acts of cyber terrorism.⁹

Secondly, some cyber policies limit the application of the war exclusion to “kinetic”’ war (i.e. the more traditional understanding of physical warfare involving artillery, missiles and so on). It would be remiss, however, to suggest that the kinetic war concept has gained wide currency in the global cyber insurance market. Underwriters may be concerned that that such language fails to address a key concern that underlies the absence of appetite for underwriting war losses, namely systemic losses i.e. multiple losses arising out of one event. It does not appear that the tying back of the war exclusion to kinetic war has gained much currency in the property market. Certainly, no such reference has been cited as being included in Merck’s or Mondelez’s property policies.

Since the cyber-attack peril is a cornerstone of any cyber policy, it is arguable that cyber insurers have recognized the need to dilute the effects of the war and terrorism exclusions or otherwise risk damaging the reputation of the product. Some cyber insurers appear to have taken the scope of cover for malicious attacks just short of encroaching on the acts that the war exclusion is intended to exclude ¹⁰ While the cyber and property markets share the challenges of defining exactly what falls within the meaning of war, it would appear that the commonplace inclusion of cover for cyber terrorism in particular (not to mention the inherent challenges with attributing responsibility for a cyber-attack)¹¹ has, for now, averted any high-profile litigation concerning the non-payment of claims under cyber policies arising out of NotPetya.

The Merck and Mondelez lawsuits highlight that the silent cyber issue in property policies is more nuanced than purely looking at whether a policy covers cyber perils on an affirmative basis or excludes them. Traditional exclusions were developed long before computer systems became an integral part of business operations. The lawsuits illustrate how ‘traditional’ exclusions developed long before computer systems became an integral part of business operations may require a rethink.

New Lloyd's cyber exclusions 

In July 2017, when the NotPetya incident was firmly in the spotlight, the UK’s Prudential Regulation Authority (PRA) called upon regulated non-life insurers to properly manage their own silent cyber risk exposure for business underwritten in the UK. Specifically, the PRA raised concerns about the difference in perceptions of cyber risk among insurers and the adequacy of premium income being allocated to silent cyber exposure.

Fast forward to January 2019, the PRA requested that insurers increase their efforts to ensure they can properly identify, quantify and manage both affirmative and non-affirmative (silent) cyber risk by way of an action plan.

On July 4, 2019, Lloyd’s of London mandated that all its members (i.e. syndicates) clearly state whether coverage is provided for losses caused by cyber risk in two categories:

1. Malicious acts (e.g., cyber-attacks); and
2. Non-malicious acts (e.g., accidental acts or omissions).

Lloyd’s specified that policies should either provide affirmative cover for the aforementioned acts or exclude coverage, regardless of the whether the polices are all risks or named perils.

In order to ensure an orderly transition, Lloyd’s proposed a phased approach:

• For first-party property damage policies incepting after January 1, 2020, Lloyd’s underwriters are required to ensure that all policies affirm or exclude cyber events.
• For liability and treaty reinsurance policies, the requirement will come into effect in two phases during 2020/2021.

On November 13, 2019, the Lloyd’s Market Association released several cyber clauses on behalf of Lloyd’s syndicates insuring property damage. The first of the clauses, known as ‘LMA5400 – Property D&F Cyber Endorsement’, excludes any loss arising out of malicious acts (referred to as a ‘Cyber Act’) “involving access to, processing of, use of or operation of any Computer System.” It also excludes any loss arising out of non-malicious acts (referred to as a ‘Cyber Incident’), which is divided into two limbs. The first limb excludes “any error or omission or series of related errors or omissions involving access to, processing of, use of or operation of any Computer System.” Therefore, a simple input error on a piece of operational technology that later leads to property damage would, prima facie, be excluded.

Even more disconcertingly, perhaps, the second limb arguably goes even further than anything seen in the NMA 2914 or NMA 2915 by excluding “any partial or total unavailability or failure or series of related partial or total unavailability or failures to access, process, use or operate any Computer System.” Put another way, losses arising from a malfunction on a computer system would, once again, be prima facie excluded.

The Endorsement does, however, carve back cover for physical loss or physical damage in respect of the two limbs of the ‘Cyber Incident’ definition (i.e. non-malicious acts) where such incidents/acts result in a fire or explosion. The inclusion of the reference to “physical loss” does appear to address the silent cyber issue in the NMA 2914 and 2915 as to whether ensuing business interruption loss is covered, but this may ultimately be of limited comfort for policyholders given the scope of the exclusion.

The LMA 5401 Property Cyber and Data Exclusion is more straightforward than its sibling, although possibly no less draconian in its impact. In simple terms, the Exclusion is a blanket exclusion that excludes from cover both malicious cyber acts and non-malicious cyber incidents with no carve back. As with the Endorsement, the definition of ‘Cyber Incident’ in the Exclusion (which is identical) is seemingly wide enough to exclude malfunctions on computer systems.

Like the CL380, both the LMA 5400 Endorsement and the LMA 5401 Exclusion are framed widely insofar as losses arising from the perils of ‘Cyber Act’ and ‘Cyber Incident’ will be excluded regardless of whether such losses are “directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with” any Cyber Act or Cyber Incident. Clearly, local laws will vary on proximate cause but, given the breadth of the language, it will be open to insurers to seek to rely on the exclusionary language even if the Cyber Act or Cyber Incident was a remote cause of the loss.

Conclusion

Clarity in contracts, especially complex insurance policies, is to be welcomed. The volume of losses arising from cyber risk continues to increase. The quantum of those losses, as witnessed at Merck, Mondelez and many other organizations warrants a close and considered inspection of insurance programs in order to minimize the scope of uncertainty.

Unlike natural perils and their outcomes, which do not alter (as when a fire burns down property, for example), cyber perils and, in particular, the outcomes arising from those perils rarely stand still for long. This inherent feature of cyber risk undoubtedly poses challenges for those seeking to transfer the risk and those prepared to accept it. What the lawsuits filed by Merck and Mondelez demonstrate is that silent cyber is more a universal issue than simply looking at the language in the insuring clauses or analyzing cyber exclusions. It is an ever-evolving issue that requires a holistic assessment of insurance contracts in order to understand their suitability to respond to cyber peril.

The efforts by Lloyd’s to address silent cyber is a positive step, although the lack of consistency between the clauses published by the LMA and similar clauses used in the wider national and international insurance market will undoubtedly bring challenges. The LMA 5400 Endorsement and the LMA 5401 have, in one respect, gone some way towards meeting the objectives set down by Lloyd’s. However, in seemingly excluding losses arising from computer system malfunctions, the clauses may have gone further than Lloyd’s intended.

Because the new cyber exclusions are in their infancy, it remains to be seen whether the cyber insurance market will continue to show the agility that has underpinned its growth as a sector. Will the cyber market be ready to fill the gaps that will undoubtedly emerge in the wake of the new cyber exclusions, or will it ultimately be the property insurance market that steps up to the plate?

Sources

¹ A subtle difference between the NMA2914 and 2915 concerning data processing media valuation falls outside the scope of this paper.
² Additional perils can be negotiated on a case-by-case basis, e.g., a machinery breakdown.
³ The End of Computer Virus Coverage as We Know it?, May 2002, by Michael Rossi, provides a fascinating contemporaneous account of the NMA 2914 and 2915 with the implication that the scope of cyber cover in traditional policies has been driven by the reinsurance market.
⁴ The CL380 is framed in extremely broad terms insofar as it applies where the cyber-attack is “directly or indirectly caused by or contributed to by or arising from” such event. Therefore, unlike the usual position in which insurers must prove that the cyber-attack is the proximate cause of the loss, if it can be proven the cyber-attack was a remote cause of the loss, that would be sufficient.
⁵ It is unclear what, if any, position is taken by the policy on losses arising from non-malicious acts, but for the purposes of this particular discussion, this is not relevant.
⁶ Although the position on non-malicious cyber acts in the Zurich Property Policy is unclear.
⁷ See the US Court of Appeal for Eleventh Circuit Court’s recent decision in Universal Cable Productions LLC v. Atlantic Specialty Insurance Company, No. 17-56672, 2019 WL 3049034 (9th Cir. July 12, 2019). Concerning the interpretation of the war exclusion, the decision provides some illuminating commentary on the meaning of “war” albeit outside of a cyber context.
⁸ The Oxford English dictionary, for example, defines “war” as “armed hostilities between (especially) nations; conflict; or the suspension of internal law etc. during such a conflict.” Notably, the United Nations has refrained from giving a definition of ‘war’ although article 2(4) the United Nations Charter 1945 does prohibit “the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the Purposes of the United Nations.” Were a Court to lean towards this statement in support of its judicial interpretation, it is certainly arguable more acts would fall within the scope of “war”.
⁹ There is no single standard definition of “cyber terrorism” used across cyber policies, although most definitions commonly refer to disruptive activities against computer systems in support of a social, political or ideological agenda.
¹⁰ As noted above, the use of a cyber-attack in a conflict between two or more nation states is likely to lead to insurers looking carefully at the application of the war exclusion. There is, however, a trend towards cyber policies covering state-sponsored cyber-attacks against private entities and individuals (as oppose to nation states) i.e. ‘cyber terrorism’ that is not in support of ‘war’ (although the issue of what acts amount to ‘war’ etc. remains). ¹¹ Under English contract law at least the burden of proving the war exclusion applies rests with the insurer. Given the inherent challenges associated with attributing responsibility for a cyber-attack in the absence of evidence and denials by the alleged perpetrators, this will inevitably lead to insurers thinking very carefully before seeking to invoke the war exclusion.