1. War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions
- Author:
- Jon Bateman
- Publication Date:
- 10-2020
- Content Type:
- Working Paper
- Institution:
- Carnegie Endowment for International Peace
- Abstract:
- Cyber insurance is a promising way to contain the havoc cyber attacks wreak, but endless lawsuits hamper its effectiveness. Reforms and new solutions are sorely needed. Insurance is one of the most promising tools for addressing pervasive cyber insecurity. A robust market for insuring cyber incidents could, among other things, financially incentivize organizations to adopt better cyber hygiene—thereby reducing cyber risk for society as a whole. But cyber insurance is not yet mature enough to fulfill its potential, partly due to uncertainty about what kinds of cyber risks are, or can be, insured. Uncertainties in cyber insurance came to a head in 2017, when the Russian government conducted a cyber attack of unprecedented scale. Data-destroying malware called NotPetya infected hundreds of organizations in dozens of countries, including major multinational companies, causing an estimated $10 billion in losses.1 NotPetya showed that cyber risk was greater than previously recognized, with higher potential for “aggregation”—the accumulation of losses across many insurance policies from a single incident or several correlated events. NotPetya also exposed a serious ambiguity in how insurance policies treat state-sponsored cyber incidents. Some property and casualty insurers declined to pay NotPetya-related claims, instead invoking their war exclusions—long-standing clauses that deny coverage for “hostile or warlike action in time of peace and war” perpetrated by states or their agents.2 War exclusions date back to the 1700s, but they had never before been applied to cyber incidents. This novel use of the war exclusion, still being litigated, has raised doubts about whether adequate or reliable coverage exists for state-sponsored cyber incidents. Some observers have asked whether such incidents are insurable at all, given the potential for aggregated cyber losses even more catastrophic than those of NotPetya.3 And while the war exclusion has attracted the most attention, another exclusion—for terrorism—presents similar challenges to cyber claims.
- Topic:
- Terrorism, War, Cybersecurity, and Non-Traditional Threats
- Political Geography:
- Global Focus