What’s the Difference?

If your business finds itself in the unfortunate position of being hit with a cyber attack, you might suddenly find semantics important.

In two cases currently being played out in court in the United States, Zurich Insurance is arguing that malware attacks suffered by two of its customers should be deemed acts of war, as opposed to typical cyber attacks.

What this means is that those costly attacks would not be covered by a standard insurance policy.

This is due to the “war” exclusion which commonly protects insurers from having to cover costs that relate to damage from war.

What is Cyberwar anyway?

In 2018, the United States government assigned responsibility for the infamous NotPetya cyber attacks to Russia. NotPetya was described as “part of the Kremlin’s ongoing effort to destabilize Ukraine”.

The US government said that the attacks had demonstrated “ever more clearly Russia’s involvement in the ongoing conflict”.

By attributing an act of cyber crime to an entire country in this way, and deeming it an act of war, the US government may well have given justification to insurers for refusing to cover the damage. At the very least they fuelled the fire of doubt sufficiently for Zurich to legally challenge the terms of their policies.

One problem is that the concept of cyberwar is still somewhat undefined. Attributing acts to a specific country can be difficult when the attack comes from a group with unofficial links to a state, or if the blamed government denies involvement.

Practical Insurance

Broad insurance policies are often used to protect businesses from loss, but these types of policies are often not underwritten or understood to cover cyber risk, particularly the kind of losses that happened to Zurich Insurance’s customers.

Cyber insurance, which is specifically tailored to these sorts of attacks and events, should leave insured parties in a clearer position in terms of their general cyber risk.

But the concept of cyberwar, and whether it can be excluded by insurers, is still a grey area. Until the Zurich cases are decided, and a precedent is created, insurers and their insured will want to proceed with caution.

Talk to phew today for impartial guidance around suitable protections for your company.