Skip to main content
Log in

Abstract

Definitions of war found in cyber insurance policies provide a novel window into the concept of cyber war. Mediated by market forces, changes in policy wording reflect shifting expectations surrounding technology and military strategy. Legal cases contesting war clauses probe state-formulated narratives around war and offensive cyber operations. In a recent legal case, an insurer refused to pay a property insurance claim by arguing the cause of the claim—the NotPetya cyberattack—constitutes a hostile or warlike action. To understand the implications, we build a corpus of 56 cyber insurance policies. Longitudinal analysis reveals some specialist cyber insurance providers introduced policies without war clauses until as late as 2012. Recent years have seen war exclusions weakened as cyber insurance policies affirmatively cover “cyber terrorism”. However, these clauses provide few explicit definitions, rather they prompt a legal discourse in which evidence is presented and subjected to formal reasoning. Going forward, war clauses will evolve so insurers can better quantify and control the costs resulting from offensive cyber operations. This pushes insurers to affirmatively describe the circumstances in which cyber conflict is uninsurable.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. He states “non-violent cyberattacks could cause economic consequences without violent effects that could exceed the harm of an otherwise smaller physical attack” (p. 3) and points to Waxman (2011).

  2. This abstract formulation of damage obscures the political question of damaging for whom. For example, focusing on economic consequences alone ignores privacy harms suffered by users, which do not translate into economic cost.

  3. Many of the victims resided in Russia, including the state oil company.

  4. Although this was a property policy, it contained terms affirmatively providing coverage for “damage to electronic data, programs, or software” (Corcoran 2019). The industry differentiates between affirmative cyber insurance coverage, which explicitly covers costs resulting from cyberattacks, and silent cyber coverage, which provides coverage for cyberattacks due to unintentional ambiguity. One can expect that affirmative cyber insurance policies reflect expectations about cyber risk, whereas silent cyber coverage does not. The industry is moving to eradicate silent cyber coverage (Woods and Simpson 2017).

  5. Physical kidnap insurance provides a fascinating counter-example in which insurers bring order to regions where the state’s monopoly on violence has broken down (Lobo-Guerrero 2012b; Shortland 2019).

  6. https://www.lloyds.com/~/media/files/the-market/i-am-a/delegated-authority/market-bulletin/2017/y5065--us-tria-compliance-for-cyber-insurance-policies.pdf.

  7. Conversations with industry insiders suggest the biggest cyber insurance providers were all including war exclusions around this time. Unfortunately, regulatory filings do not provide the market share of a given policy so we cannot evaluate this.

  8. Slupska (2020) argues that the metaphor of cyber war undermines international collaboration, leading to a self-fulfilling prophecy.

  9. A data analytics company, QOMPLX, who have recently launched an MGA, are the exception.

  10. Refer to Romanosky et al. (2019) for a more detailed explanation. They suggest there is little variation across admitted and non-admitted markets.

  11. Future work could track how wordings are updated over time. This may reveal war clauses offered by one insurer changing over time.

References

  • Anderson, R., C. Barton, R. Böhme, R. Clayton, M.J. Van Eeten, M. Levi, T. Moore, and S. Savage. 2013. Measuring the cost of cybercrime. In The economics of information security and privacy, ed. R. Böhme, 265–300. Berlin: Springer.

    Google Scholar 

  • Anderson, R.J. 1994. Liability and computer security: Nine principles. In Proceedings of the European Symposium on Research in Computer Security, pp. 231–245. Berlin: Springer.

  • Arquilla, J., and D. Ronfeldt. 1993. Cyberwar is coming! Comparative Strategy 12 (2): 141–165.

    Google Scholar 

  • Baker, T. 1996. On the genealogy of moral hazard. Texas Law Review 75: 237.

    Google Scholar 

  • Baker, T. 2010. Insurance in sociolegal research. Annual Review of Law and Social Science 6: 433–447.

    Google Scholar 

  • Baker, T., and J. Simon. 2010. Embracing risk: The changing culture of insurance and responsibility. Chicago: University of Chicago Press.

    Google Scholar 

  • Ben-Shahar, O., and K.D. Logue. 2012. Outsourcing regulation: How insurance reduces moral hazard. Michigan Law Review 111: 197.

    Google Scholar 

  • Bendrath, R., J. Eriksson, and G. Giacomello. 2007. From ‘Cyberterrorism’to ‘Cyberwar’, back and forth: How the United States securitized cyberspace. In International relations and security in the digital age, ed. J. Eriksson and G. Giacomello, 77–102. London/New York: Routledge.

    Google Scholar 

  • Blomfield, A. 2007. Estonia calls for a NATO strategy on ‘Cyber-terrorists’ after coming under attack. The Daily Telegraph, May 18.

  • Buzan, B., O. Wæver, O. Wæver, J. De Wilde, et al. 1998. Security: A new framework for analysis. Boulder: Lynne Rienner Publishers.

    Google Scholar 

  • Carroll, S.J., D.R. Hensler, J. Gross, E.M. Sloss, and M. Schonlau. 2005. Asbestos litigation. Santa Monica: Rand Corporation.

    Google Scholar 

  • Cavelty, M.D. 2008. Cyber-terror—looming threat or phantom menace? The framing of the US cyber-threat debate. Journal of Information Technology & Politics 4 (1): 19–36.

    Google Scholar 

  • Clarke, R.A., and R.K. Knake. 2014. Cyber war. New York: Tantor Media, Incorporated.

    Google Scholar 

  • Coburn, A., E. Leverett, and G. Woo. 2018. Solving cyber risk: Protecting your company and society. New Jersey: Wiley.

    Google Scholar 

  • Corcoran, B. 2019. What Mondelez v. Zurich may reveal about cyber insurance in the age of digital conflict. Lawfare. https://www.lawfareblog.com/what-mondelez-v-zurich-may-reveal-about-cyber-insurance-age-digital-conflict.

  • Department of the Treasury. 2016. Guidance concerning stand-alone cyber liability insurance policies under the terrorism risk insurance program. [Online; accessed 27-Jan-2020].

  • Egloff, F.J. 2020. Contested public attributions of cyber incidents and the role of academia. Contemporary Security Policy 41 (1): 55–81.

    Google Scholar 

  • Elliott, R. 2019. ‘Scarier than another storm’: Values at risk in the mapping and insuring of us floodplains. The British Journal of Sociology 70 (3): 1067–1090.

    Google Scholar 

  • Ericson, R.V., and A. Doyle. 2004. Uncertain business: Risk, insurance and the limits of knowledge. Toronto: University of Toronto Press.

    Google Scholar 

  • Ericson, R.V., A. Doyle, and D. Barry. 2003. Insurance as governance. Toronto: University of Toronto Press.

    Google Scholar 

  • Evans, S. 2019. Petya cyber industry loss passes $3bn driven by Merck silent cyber: PCS Reinsurance News.

  • Greenberg, A. 2019. Sandworm: A new era of cyberwar and the hunt for the Kremlin’s most dangerous hackers. New York: Doubleday.

    Google Scholar 

  • Grigsby, A. 2017. The end of cyber norms. Survival 59 (6): 109–122.

    Google Scholar 

  • Hansen, L., and H. Nissenbaum. 2009. Digital disaster, cyber security, and the Copenhagen school. International Studies Quarterly 53 (4): 1155–1175.

    Google Scholar 

  • Haufler, V. 1997. Dangerous commerce: Insurance and the management of international risk. New York: Cornell University Press.

    Google Scholar 

  • Hayek, F.A. 1945. The use of knowledge in society. The American Economic Review 35 (4): 519–530.

    Google Scholar 

  • Henriksen, A. 2019. The end of the road for the UN GGE process: The future regulation of cyberspace. Journal of Cybersecurity 5 (1): 1–9.

    Google Scholar 

  • Herr, T. 2019. Cyber insurance and private governance: The enforcement power of markets. Regulation & Governance. https://doi.org/10.1111/rego.12266.

    Article  Google Scholar 

  • Hurel, L.M., and L.C. Lobato. 2018. Unpacking cyber norms: Private companies as norm entrepreneurs. Journal of Cyber Policy 3 (1): 61–76.

    Google Scholar 

  • Kello, L. 2017. The virtual weapon and international order. London: Yale University Press.

    Google Scholar 

  • Kratochwil, F.V. 1991. Rules, norms, and decisions: On the conditions of practical and legal reasoning in international relations and domestic affairs, vol. 2. Cambridge: Cambridge University Press.

    Google Scholar 

  • Lerner, M. 1937. Constitution and court as symbols. The Yale Law Journal 46 (8): 1290–1319.

    Google Scholar 

  • Lewis, J.A. 2002. Assessing the risks of cyber terrorism, cyber war and other cyber threats. DC: Center for Strategic & International Studies Washington.

    Google Scholar 

  • Lobo-Guerrero, L. 2012a. Insuring war: Sovereignty, security and risk. Oxon/New York: Routledge.

    Google Scholar 

  • Lobo-Guerrero, L. 2012b. Lloyd’s and the moral economy of insuring against piracy: Towards a politicisation of marine war risks insurance. Journal of Cultural Economy 5 (1): 67–83.

    Google Scholar 

  • Lubin, A. 2019. The insurability of cyber risk. Available at SSRN: https://ssrn.com/abstract=3452833 or https://doi.org/10.2139/ssrn.3452833.

  • McQuade, M. 2018. The untold story of NotPetya, the most devastating cyberattack in history. Wired.

  • Mondelez v. Zurich. 2018. Complaint in Mondelez International, Inc. v. Zurich American Insurance Company WL 4941760 (Circuit Court of Illinois.) (Trial Pleading).

  • Montoya v. United States. 1901. Verdict 180 U.S. 261 (U.S. Supreme Court).

  • Mueller, M., K. Grindal, B. Kuerbis, and F. Badiei. 2019. Cyber attribution. The Cyber Defense Review 4 (1): 107–122.

    Google Scholar 

  • Mueller, M. L. 2019. Against Sovereignty in Cyberspace. International Studies Review. viz044.

  • North, M. 2013. Boston bombings: Obama condemns ’act of terrorism’. BBC.

  • O’Malley, P. 1991. Legal networks and domestic security. Studies in Law, Politics and Society 11 (1): 165–184.

    Google Scholar 

  • Pan Am v. Aetna. 1973. Pan American World Airways, Inc. v. Aetna Cas. Sur. Co. Verdict 368 F. Supp. 1098 (S.D.N.Y. 1973).

  • Ralph, O. 2017. Cyber insurance market expected to grow after wannacry attack. The Financial Times.

  • Rid, T. 2013. Cyber war will not take place. New York: Oxford University Press.

    Google Scholar 

  • Rid, T., and B. Buchanan. 2015. Attributing cyber attacks. Journal of Strategic Studies 38 (1–2): 4–37.

    Google Scholar 

  • Risse, T. 2000. “Let’s argue!”: Communicative action in world politics. International Organization 54 (1): 1–39.

    Google Scholar 

  • Romanosky, S. 2016. Examining the costs and causes of cyber incidents. Journal of Cybersecurity 2 (2): 121–135.

    Google Scholar 

  • Romanosky, S., and B. Boudreaux. 2019. Private sector attribution of cyber incidents. RAND Corporation working paper series.

  • Romanosky, S., A. Kuehn, L. Ablon, and T. Jones. 2019. Content analysis of cyber insurance policies: How do carriers price cyber risk? Journal of Cybersecurity. https://doi.org/10.1093/cybsec/tyz002.

    Article  Google Scholar 

  • Schneier, B. 2001. Insurance and the computer industry. Communications of the ACM 44 (3): 114–114.

    Google Scholar 

  • Shortland, A. 2019. Kidnap: Inside the ransom business. Oxford: Oxford University Press.

    Google Scholar 

  • Simpson, T.W. 2014. The wrong in cyberattacks. In The ethics of information warfare, vol. 14, ed. L. Floridi and M. Taddeo. Cham: Springer International Publishing.

    Google Scholar 

  • Singer, P. W., and N. Shachtman. 2011. The wrong war: The insistence on applying cold war metaphors to cybersecurity is misplaced and counterproductive. Brookings Government Executive 12.

  • Slupska, J. 2020. War, health, & ecosystem: Generative metaphors in cybersecurity governance. Philosophy & Technology, Forthcoming.

  • Smeets, M. 2018. A matter of time: On the transitory nature of cyberweapons. Journal of Strategic Studies 41 (1–2): 6–32.

    Google Scholar 

  • Strange, S. 1996. The retreat of the state: The diffusion of power in the world economy. Cambridge: Cambridge University Press.

    Google Scholar 

  • Strange, S. 2015. States and markets. London: Bloomsbury Publishing.

    Google Scholar 

  • Sullivan, C. 2016. The 2014 Sony hack and the role of international law. Journal of National Security Law & Policy 8 (3): 1–27.

    Google Scholar 

  • Talesh, S.A. 2018. Data breach, privacy, and cyber insurance: How insurance companies act as “compliance managers” for businesses. Law & Social Inquiry 43 (2): 417–440.

    Google Scholar 

  • Taylor, Z.J. 2020. The real estate risk fix: Residential insurance-linked securitization in the Florida metropolis. Environment and Planning A Economy and Space. https://doi.org/10.1177/0308518x19896579.

    Article  Google Scholar 

  • Thoyts, R. 2010. Insurance theory and practice. Oxon/New York: Routledge.

    Google Scholar 

  • United Nations. 1978. Legal and documentary aspects of the marine contract. United Nations Conference on Trade and Development.

  • Vicente, C. 1995. War risk insurance. Neptunus Law Review 1 (4): 1–19.

    Google Scholar 

  • Waxman, M.C. 2011. Cyber-attacks and the use of force: Back to the future of article 2 (4). Yale Journal of International Law 36: 421.

    Google Scholar 

  • Weinkle, J. 2015. A public policy evaluation of Florida’s citizens property insurance corporation. Journal of Insurance Regulation 34: 1.

    Google Scholar 

  • Weinkle, J. 2019. Experts, regulatory capture, and the “governor’s dilemma”: The politics of hurricane risk science and insurance. Regulation & Governance. https://doi.org/10.1111/rego.12255.

    Article  Google Scholar 

  • Wendt, A. 1992. Anarchy is what states make of it: The social construction of power politics. International Organization 46 (2): 391–425.

    Google Scholar 

  • Woods, D.W., and T. Moore. 2020. Does insurance have a future in governing cybersecurity? IEEE Security Privacy 18 (1): 21–27.

    Google Scholar 

  • Woods, D. W., T. Moore, and A. C. Simpson (2019). The county fair cyber loss distribution: Drawing inference from insurance prices. In Proceedings of The 18th Workshop on the Economics of Information Security (WEIS 2019).

  • Woods, D.W., and A.C. Simpson. 2017. Policy measures and cyber insurance: A framework. Journal of Cyber Policy 2 (2): 209–226.

    Google Scholar 

Download references

Acknowledgements

The authors would like to thank the reviewers for the thoughtful comments on an exploratory research project. It began as an abstract submitted to The Hague Program for Cyber Norms, who were very generous in offering support to early career researchers crossing disciplines. A second round of insightful, if slightly bruising, comments were offered by the The Center for Security Studies at ETH Zurich, thanks in particular to Myriam Dunn Cavelty for making that happen.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Daniel W. Woods.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary file1 (PDF 119 kb)

Appendix: data collection and analysis

Appendix: data collection and analysis

Our data only relates to the admitted market in California.Footnote 10 We obtained regulatory filings using the same search as Woods et al. (2019):

“We extracted rate schedules related to cyber insurance by searching with keywords “cyber”, “security” and “privacy”, as in Romanosky et al. (2019).”

We only collected filings with type “new program” because these represent entirely new filingsFootnote 11 and they also contain documents related to how insurance is priced. This allowed us to determine whether the insurer was selling a flat rate policy or more sophisticated standalone policies. We then extracted policy wording and the date on which the policy was filed. Note the regulator must approve the filing before policies can be sold.

Our inductive approach consisted of first reading through the policy. We consider the policy to be both the general provisions and the specific endorsements found within the filing. We cannot track terms and conditions contained in other filings nor any wordings that are negotiated after the fact. We aimed to identify any war or terrorism clauses and definitions. These were generally found in the exclusions section. We also searched each document for terms including “war”, “terrrorism” and “hostility”. Each exclusion was extracted, along with any sub-clauses and relevant definitions, and can be found in the following section.

The clauses are essentially lists with little grammatical complexity. We thus conducted a simplistic inductive content analysis to identify which terms are included in this list. The similarities in wordings across documents made this task relatively straightforward. The main difficulties lay in deciding which terms could be grouped together. The results are described in Table 2.

Figures 1 and 2 result from a coarse mapping of each clause to one of three categories: no war clause, war or terrorism clause, and cyber-specific qualifier. A policy without any war clause was mapped to the first. War clauses were classified as cyber-specific qualifier if they contained any terms like cyber, network security or “acts perpetuated electronically”.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Woods, D.W., Weinkle, J. Insurance definitions of cyber war. Geneva Pap Risk Insur Issues Pract 45, 639–656 (2020). https://doi.org/10.1057/s41288-020-00168-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1057/s41288-020-00168-5

Keywords

Navigation