[…] So here are a few tips for entities purchasing cyber insurance if they really want to make sure that they have the coverage that they think they have.
First, negotiate the removal of the exclusion. I’m not sure that an “act of war” exclusion applies to DDoS, ransomware or other kinds of cyberattacks as a matter of public policy. In fact, it is precisely these kinds of attacks that the insured is buying insurance to cover.
Second, if the insurer won’t outright remove the language, define it clearly. Limit it to actions formally attributed to sovereign nations in pursuance of a declared war or invasion, or something like that. Make sure that, to rely on the exclusion, the insurer has to prove actual war, actual attribution, actual attack, actual motive and other things like that.
Third, distinguish regular warfare from irregular warfare, terrorism and collateral damage. The NonPetya case is an example: The victims including Merck and the candy company were not targets of the act of war. One “feature” of cyberwar is the fact that the attacks may not be able to be contained. The same malware that attacks the Ukrainian government may also attack your Oreo cookies. If you can, you want to limit the exclusion to acts of war that target you and cause “intended” damage by a sovereign nation.
The time to discuss what type of insurance you have and what is and is not covered is not when you file a claim; it’s when you buy a policy. So have knowledgeable insurance and risk people meet with your CISO or other cyber professionals to hash out the scope of coverage and exclusions before you file a claim. Finally, the U.S. government should step up and provide the same kind of “backstop” insurance for war-related cyber-risk that it currently does for terrorist attacks. And that would require the U.S. House, the U.S. Senate and the president to work together toward a common objective. And to do that, it might take an act of war.