Two veterans in the cyber realm, John Farley of HUB International Limited and Greg Podolak of Saxe Doernberger & Vita, have recently published a white paper titled The Cyber War & Your Cyber Insurance Policy: Are you Covered? With cyber attacks now at the top of liability concerns for companies of all sizes, cyber insurance is becoming a necessity for enterprises that need their data protected. However, it is crucial to know what your cyber insurance policy does and does not cover.
More specifically, Farly and Podolak explain that “many of these cyber policies contain specific terrorism and war exclusions. As a result, gaps in cyber insurance coverage can exist.” Government departments such as the DOD, DOJ, DHS and the terrorism risk insurance act have created separate definitions of “war” and “terrorism.” This makes determining coverage disputes increasingly difficult when a policy excludes acts of “war” and “terrorism.” To put it simply, a cyber attack could be considered an act of “war” or “terrorism” under one definition, voiding the cyber insurance policy. However, when using a different definition of “terrorism” or “war,” a cyber attack could be defined as what President Obama once referred to as “cyber vandalism,” in which the loses from the attack would be covered.
Lastly, “The Terrorism Risk Insurance Act (TRIA) is a government program designed to provide a backstop for reinsurance in the event of large terrorism-related losses (more than $100 million)” which further complicates the ‘act of war exclusion.’ Farley and Podolak’s whitepaper serves as an excellent resource to better understand how definitions of “war” and “terrorism” can affect your cyber insurance claims and the qualifications for TRIA to apply to a cyber attack.