Pay Attention to the Fine Print on 'War Exclusions' in Cyber PoliciesInsurance Attorney Peter Halprin Describes Critical Considerations
When seeking cybersecurity insurance or other types of insurance policies that provide organizations with coverage for certain data security incidents, it's critical to carefully consider the "war exclusions" contained in those policies, says insurance attorney Peter Halprin.
For instance, two significant insurance coverage legal disputes, both involving the 2017 NotPetya ransomware attacks - one involving pharmaceutical maker Merck and the other snack food company Mondelēz International - revolved around whether the incidents were excluded under their policies' war exclusion provisions, he notes.
"What we saw with those entities - which involved cyber claims under noncyber policies - the war exclusion was invoked [by the insurer], with the concept that NotPetya … was attributed to state actors, and so it was almost a form of war as seen in a shooting war and should be viewed no differently," he says.
After those cases, "there was … a collective freak-out among those in the cyber insurance space - both from the insurer side and the policyholder side - about war exclusions and whether insurers would invoke those to avoid making payments for ransomware or other cyber claims because of relations to Iran, Russia, China or some other nation that might be connected to hacker collectives," he says.
"For the most part, the market has tried to calm people's nerves … by saying 'war' needs to be viewed narrowly, more akin to a shooting war, and not so much a cyber war without attribution," he says. "But you need to get the best, most expressed and explicit coverage out there and carefully scrutinize the war exclusion, working with your broker or other professionals," he says.
In the interview, Halprin also discusses:
- Cyber insurance versus other types of insurance policies that cover ransomware and other cyber incidents;
- Critical considerations involving the U.S. Treasury Department’s Office of Foreign Assets Control, or OFAC, regulations that prohibit the payment of ransoms to adversary nations;
- The level of influence that cyber insurers have in decisions by organizations about whether to pay a ransom.
Halprin is a partner in Pasich LLP’s New York office. He represents commercial policyholders with a focus on recovery strategies in relation to cyber breaches and cybercrime, COVID-19 and natural disasters, professional services, regulatory investigations and technology disputes.