Russian Cyber Attacks May Test War Exclusion Policy Language: Fitch

Cyber attacks associated with Russia's invasion of Ukraine may further test the effectiveness of war exclusion and hostile act exclusion language in insurance policies, according to Fitch Ratings.

In a statement, Fitch noted that the invasion has increased the risk of cyber attacks and potential claims costs for property and casualty (P&C) insurers around the world offering cyber-insurance coverage. Most of that coverage is underwritten in North America, according to the rating agency.

Fitch said the war exclusion and hostile act exclusion policy language has come under great scrutiny since a recent court ruling found an insurer liable for losses resulting from the 2017 NotPetya malware attack.

"Nonetheless, larger insurers have taken significant pricing and underwriting actions in response to rising cyber claims in recent years, including tightened contract language, which should help mitigate underwriting losses in the current uncertain environment," the Fitch statement said.

The rating agency noted that the NotPetya attack was largely attributed to Russian-linked hackers and resulted in billions of dollars in losses for global firms.

Cyber-insurance policies for US P&C insurers have typically included war exclusion or hostile act exclusion language, Fitch said, similar to exclusionary language found in other property insurance lines, stipulating that insurers cannot defend against acts of war.

A recent ruling by a New Jersey State Superior Court judge held, however, that a policyholder that suffered significant losses in the NotPetya attack was entitled to summary judgment because the war exclusion language didn't apply, Fitch said. The ruling indicated that the contract language of the insurance policy in question had been virtually unchanged for many years, despite the growing and evolving threat of cyber attacks that can arise from both nation-states and private cyber criminals.

The court ruled that because the insurer failed to change the policy language, the policyholder had the right to anticipate that the exclusion applied only to traditional forms of warfare, Fitch said. "The insurer was at fault for failing to change the language or to notify the insured party that losses from cyberattacks were not covered," the rating agency said.

The Fitch statement said that the current Russia-Ukraine conflict increases the risk of cyber attacks from well-organized state-sponsored hackers. Other P&C insurance lines that may be affected include political risk and trade credit, property, marine, cargo, and aviation, Fitch said.