Cyber insurance policies may be put to the test by Russian attacks, credit ratings firm warns

Credit ratings giant Fitch said on Tuesday that cyberattacks linked to Russia's invasion of Ukraine might be a test for language commonly used in cyber insurance policies that excludes damages caused by acts of war.

The "war exclusion" and "hostile act exclusion" language has become a much-debated issue in the world of cyber insurance over the last several years. The clauses have a long history in property, life, and other types of coverage, and are meant to protect insurance companies from being on the hook for events that they could not afford to pay claims. But cyberattacks — which can be difficult to attribute and are used more liberally than rocket strikes and other traditional weapons — present many grey areas.

NotPetya, a 2017 wiper attack that caused billions of dollars of damage and has been linked to Russian hackers, pushed many insurance providers to clarify their language around what is and isn't covered. Last December, a New Jersey court ruled in favor of pharmaceutical company Merck in a lawsuit filed against its insurer, which declined to cover $1.4 billion in losses caused by NotPetya. In that case, Merck had a $1.75 billion "all-risk" insurance policy that covered software-related data loss events, but its insurer refused to cover the loss arguing that the attack was an act of war.

The New Jersey Superior Court sided with Merck, which argued that the clause's language limited exclusions to acts by official government agencies, and did not specifically mention cyber-related events.

Although Fitch said that the lawsuit and pressure from regulators have prompted a shift in war exclusion language — which could potentially mitigate losses from the current conflict — an increase in nation-state cyberattackers could be a test for many policies.

"The proliferation of potential cyberattacks from well-organized, state-sponsored hackers is elevated given the current conflict," Fitch said.