Catastrophic Risk Exclusions in Cyber Insurance Policies

Cyber threats pose considerable risks to businesses of all sizes, from data leaks and network breaches to ransomware attacks. Robust cybersecurity measures can help, but ultimately, no organisation is immune to cyber incidents even with strong defences in place.

This is where cyber insurance plays a critical role, offering financial protection against potential losses resulting from cyberattacks. Insurance can provide a safety net against cyber risks and it is crucial to understand exclusions in the policy that may limit coverage.

A type of exclusion that is becoming standard with cyber insurance is catastrophic risk exclusions due to notable widespread cyber incidents against governments and businesses in recent years, including the 2017 NotPetya attack.

This unprecedented cyber attack affected numerous organisations worldwide, resulting in substantial financial losses. We’ll explain the concept of catastrophic risk exclusions in detail below.

What is a catastrophic risk exclusion in an insurance policy?

Catastrophic risk exclusions are included in insurance policies generally to limit the insurer’s exposure to a single event that can result in extremely high and widespread losses across a large group or area. Losses arising from failure of, or outage to, critical national infrastructure such as electricity, gas, water, satellite or telecommunications are often excluded from insurance policies.

These events are typically considered to be of such a large scale or magnitude that they could significantly impact a wide geographic area or cause extensive financial losses. Often this is outside what a private insurer is able to insure alone, and requires government involvement to manage these risks. Examples of catastrophic risks that are often excluded from insurance coverage include the following:

War and terrorism

Damages or losses resulting from acts of war, terrorism, or civil unrest may be excluded from coverage, especially in areas prone to such events.

Nuclear incidents

Insurance policies often exclude coverage for damages caused by nuclear accidents, radiation or related events.

Natural disasters

Certain natural disasters like earthquakes, tsunamis, hurricanes and floods may be excluded from coverage, especially in high-risk areas.

Pandemics

Events such as pandemics or widespread health crises may be excluded from coverage, especially in certain types of insurance policies like business interruption insurance.

How do catastrophic risk exclusions apply in cyber insurance?

Traditional catastrophic exclusions for war and terrorism were primarily designed to address physical acts such as bombings or armed conflicts.

However, cyber threats operate in a vastly different domain, where attacks can be carried out remotely and anonymously. This evolution in the threat landscape raises questions about the applicability of traditional exclusion clauses to cyber incidents.

Further, unlike traditional catastrophic events, attributing cyberattacks to specific actors or entities can be very complex. Attackers can employ sophisticated techniques to mask their identities, making it difficult to establish culpability and assess whether exclusion clauses related to state-sponsored actions are applicable.

‘Catastrophic cyber risks’: an uncertain definition

There is no uniformly settled definition of a ‘catastrophic cyber risk’.

Catastrophic cyber risk definitions can mirror those in the physical world, where they often involve single events causing significant losses or affecting multiple insurers. Economic impact, network effects, and severity are key measures considered in defining catastrophic cyber risk.

Economic impact includes losses from network or data unavailability, workforce surge costs, reputation damage and supply-demand disruptions.
Network effects arise from interconnected systems and can lead to nonlinear economic impacts.
Severity refers to the seriousness of an incident and its impact on entities.

Large-scale attacks on key pieces of infrastructure (ie energy networks), or major cloud providers will generally be considered catastrophic events.

Are these types of events excluded from coverage? There is no clear answer as it will all depend on the circumstances and the particular wording of the policy. A 2023 expert panel discussion conducted by the Casualty Actuarial Society and the SOA Research Institute explored these concepts in detail.

Exclusions and cyber warfare

Many cyber incidents have occurred during acts of war. For centuries, insurance has incorporated exclusions for war-related risks.

In fact, excluding “all war” has been a longstanding prerequisite for insurance policies under Lloyd’s of London. Prior to the late twentieth century, excluding war perils was relatively straightforward. A prime example of such exclusions was NMA 464, which remained unchanged in its wording since before World War II and was widely adopted. The war exclusion was framed around the physical act of a declared war.

In 2014, cyber warfare gained public attention when Russia allegedly sponsored a series of cyber-attacks on Ukrainian organizations, including the NotPetya attack in 2017. NotPetya, a zero-day wiper application exploiting Microsoft OS vulnerabilities, spread quickly, causing extensive damage across various sectors, including Merck, a pharmaceutical giant.

Merck’s insurance claim under an all risks policy was initially denied due to a war exclusion clause. However, a New Jersey court in the United States ruled in early 2022 that insurers must explicitly exclude state-sponsored cyber operations to deny coverage, prompting insurers to develop robust cyber-specific war exclusions for catastrophic cyber losses.

Cyber war exclusion clauses from August 2022

In August 2022, Lloyd’s Market Association (LMA) issued Market Bulletin Y5381, mandating that all standalone cyber policies from 31 March 2023 written by Lloyd’s incorporate a suitable clause excluding liability for losses stemming from state-sponsored cyberattacks.

The Bulletin reads:

At a minimum, the state backed cyber-attack exclusion must:

exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion.
(subject to 3) exclude losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state
be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state backed cyber-attack.
set out a robust basis by which the parties agree on how any state backed cyberattack will be attributed to one or more states.
ensure all key terms are clearly defined.

In addition to Lloyd’s, most other carriers have introduced similar guidelines to address the catastrophic risk potential of state-sponsored cyberattacks with these exclusions now common in cyber policies.

Questions about a cyber insurance policy?

If you own a business with a cyber insurance policy, you’ll likely have questions related to any catastrophic risk exclusion clause that appears.

Here at Axxima, our experienced insurance professionals can help you understand whether these clauses exclude any particular risk you are concerned about, and whether the policy overall is right for your business.

Get in touch with our experienced team of professionals to learn more about catastrophic risk exclusions that appear in your policy.