Iran recently shot down an unmanned U.S. surveillance drone aircraft flying in international airspace, sparking increased tensions between the U.S. and Iran. Military action was avoided, but the U.S. was reported to have launched a cyber attack on Iranian tech assets in response to the attack.
U.S. cybersecurity companies, who were already reporting a dramatic increase in Iranian hacking efforts against U.S. firms during the preceding few weeks, immediately began warning that Iran could increase its attacks and make them far more destructive. Iranian hackers targeting U.S. companies were using specialized malicious software designed to wipe the contents of their victim’s computer networks rather than simply steal their data, according to a warning posted by the director of the Homeland Security Department’s cybersecurity division.
Why is this an issue? There are a couple of exclusions found on almost every property insurance policy written since WWII. One is the Nuclear exclusion; underwriters have no intention of insuring the damage done by nuclear explosion or contamination. The other? The War exclusion. Wars are deliberate acts of man, not naturally caused, and potentially catastrophic in the scope and extent of the damage they cause; insurance companies want no part of it.
But what about cyber warfare? War, as conventionally understood, involves damage to or destruction of tangible property by acts of an enemy. War exclusions don’t specify that. Here is one typical war exclusion, for claims arising from loss “…resulting from, directly or indirectly occasioned by, happening through or in consequence of: war…acts of foreign enemies, hostilities (whether war be declared or not) … or requisition or destruction of or damage to property by or under the order of any government or public or local authority…”.
Here’s another typical one: it excludes claims for losses “Based upon or arising out of: 1. war, including undeclared or civil war”.
So here is the question: are we at war with Iran? If you are a victim of an attack traceable to Iran, are you victim of an act of war? It may be only intangible property (data) that is destroyed; how does a war exclusion apply to that? Or perhaps some of your EDP equipment is destroyed. If circuit boards are actually fused, that’s a tangible loss; if they are just electronically corrupted beyond repair, is that different?
This is an unresolved but increasingly concerning issue with cyber policies, especially older versions or forms written by less sophisticated underwriters (remember, these forms are not standardized, every insurance company writes their own insurance contract).
Fortunately, underwriters who are, or seek to be, reliable long term players in the cyber insurance market are aware of this issue, and many are addressing it. Cyber underwriters have less reason to be fearful of the war peril than other property underwriters. If Iran or North Korea lobs a missile that destroys your building, that building is gone. If they launch a cyber attack and destroy your data, that data on that computer is gone, but if you employ common sense backup measures, you should still have that data. You might be inconvenienced and incur some expense to restore your system, or even get new hardware, but the data itself remains. From an underwriters point of view, such a loss is far more manageable (and therefore insurable).
Here’s the key, though: look at your cyber policy. See if it has a war exclusion, and what it says. Recently we are seeing that cyber underwriters are increasingly willing to modify or remove war exclusions. If yours won’t, there are likely other options readily available.