On cyber insurance exclusions or not

Recently cyber insurance gained fame because of the refusal of two major firms (1), 2) to cover the costs of NotPetya ransomwiper.

The explanation, “war-like activity” exclusion model clause (CL.380, “Institute Cyber Attack Exclusion“; a fairly standard sample here) result in a fairly entertaining case from the international law and policy point of view (perhaps the concerns with "attribution" issues being of primary issue/obstacle here is not so important; but that's another story). Exclusion clauses are fairly standard and important in insurance (and any contract, when we’re at it).

Insurance is being positioned as a tool helping to limit the risk and costs of data loss and disruption resulting from cyberattacks. Cyber insurance of course does not intend to prevent the cause. Rather, the aim is on shielding from (financial) consequences, both potential and true. Companies typically like to reduce business risk and control costs. As much exciting as this may sound to some, let’s not go into details. So we won’t speak about data suggesting skepticism over cyber insurance, for example. We do not take any position, nor pro or against.

Instead, let’s just say directly the International Underwriting Association of London, an influential insurer organization just published two recommendations (IUA: 09-081 “Cyber Loss Absolute Exclusion Clause“; 09-082), along with a commentary.

Specifically, “Cyber Loss Absolute Exclusion Clause” broadly excludes coverage for loss “arising out of the use of (or inability to use) a Computer System, Computer Network or Data, each of which is specifically defined within the clause. Additionally, the clause would remove liability arising from losses stemming from the hoax of such and any error, omission or accident in respect of a Computer System, Computer Network or Data” (malicious or not, so including a breach, disruption, etc.).

Why?

The main motivation of IAU appears to be intending to clarify when general insurance does not cover any computer/cyber-related loss. This provides clarity for both, insurers and customers. Cyber/computer-related events will need to be written explicitly.

But as a potential side effect, it also further builds a “market awareness” for cyber insurance. Specifically, customers (i.e. consultants/CEO/CFO/Cxx) will now be faced with clearer messages like:

(1) there is something like “cyber insurance” out there,
(2) there might be a risk, and they are not covered.

Whether and how it impacts decisions is another story.