We have discussed in the past the thorny issues associated with attributing a malicious act, like a cyber attack, on a nation-state actor. In particular, some insurance companies have attempted to avoid payment of large data breach claims when the claims arose from acts which were attributed to nation states. A recent decision by the U.S. Ninth Circuit Court of Appeals will make it harder for insurance companies to make that claim going forward.
In 2014, NBC Universal began filming a television show called “The Dig” which was to take place in, and be filmed in, Jerusalem. However, shortly after filming ended for the pilot episode, Hamas began attacking the city and NBC Universal was forced to move production to other locations. NBC Universal had purchased production insurance, and filed a claim with its carrier to offset the cost of the production changes. The carrier, OneBeacon Insurance Group, claimed that an “act of war” exclusion in the policy applied, and a US District Court agreed. The Ninth Circuit disagreed, arguing:
Both ‘war’ and ‘warlike action by a military force’ have a specialized meaning in the insurance context and the parties had, at the least, constructive notice of the meaning[.] … The district court erred when it failed to apply that meaning. Under that specialized meaning, both ‘war’ and ‘warlike action by a military force’ require hostilities between either de jure or de facto sovereigns, and Hamas constitutes neither[.] … Hamas’ conduct consisted of intentional violence against civilians[,] conduct which is far closer to acts of terror than ‘warlike action by a military force[.] ” In this instance, “De jure” refers to ‘”existing in law.”
In many cases, cyber breaches are attributed to groups affiliated with different nation-states (e.g., Fancy Bear, APT38, Clever Kitten, etc.), but which have not been formally tied to a particular nation. The actions are more akin to acts of terror than warlike action by a military force, and thus insurance companies will face a much higher bar when claiming that a cyber attack is the result of an act of war.