In War and Peace: Cyber Coverage and War Exclusion

In the face of escalating war in Ukraine most of eastern Europe is fearful that the armed conflict could escalate and quickly spill across their borders.

While greater physical distance provides an illusion of greater safety, it is by no means a stretch to assert that the entire world is apprehensive about the potential direct and indirect effects of this war on their daily lives.  Moreover, Cyber experts have warned that most of our important institutions are not sufficiently prepared to successfully withstand any form of cyber attack, and that it would be a mistake to assume that such attacks will remain limited to Ukrainian targets[1].and could include foreign governments and their associated services, businesses and banking institutions and even private citizens.

What’s more, the enemy behind these attacks is less certain than ever: are the perpetrators sponsored by nation-states, individuals, entities, developers, or simply vigilante attacks? Should such an attack happen, would a carrier be able to successfully raise a war exclusion in a cyber-policy? The answer is, as always, it depends.

A recent US decision in Merck v. ACE American Insurance Company, et al. addresses this question in detail; but before answering that question, we must consider a brief history of the War Exclusion Clause. War Exclusion Clauses are included in most standard   property and liability policies around the world. A standard definition of “war risks” found in a Commercial General Liability Policy reads as follows:

War Risks

“Bodily injury” or “property damage” due to war, invasion, act of foreign enemy, hostilities (whether war be declared or not), civil war, rebellion, revolution, insurrection or military power.

These exclusion clauses date back to the marine insurance market which dealt with “perils of the sea”. As states by an American Court: [2]

The purpose of a war risk exclusion is to eliminate an insurer’s liability in circumstances in which it is impossible to evaluate the risks. The clause effectuates this purpose by excluding coverage for claims occasioned by the special hazards of war. … The risk inherent in military service waging war is not contemplated in the premiums, which are based upon civilian accident and mortality experience.

This exclusion clause has been considered in Canada in policies such as a pollution liability policy[3] and all-risks policies[4]. In the latter, Club de Golf Oka inc. made a first party claim against its insurer following what is known as the “Oka Crisis” in 1990, where members of the First Nations erected a barricade in the area surrounding the golf club, preventing vehicles from freely circulating. The Canadian army was asked to intervene after the death of a policeman.  The insurer denied coverage and claimed it was an “insurrection” that excluded underthe Policy. It should be borne in mind that the exclusion clause of the policy in question specifically lists, in the same clause, “civil war, invasion, hostilities, rebellion, revolution and insurrection”. After a detailed review of the facts, the Court in Oka held that the  exclusion was unenforceable. Specifically, it was held that had the insurer wanted to exclude the risk of an event of major disturbances or severe crises, as happened in Oka in 1990, they should have foreseen it, and written it expressly, clearly and unambiguously. This was not the case and as such the Court held that doubt, ambiguity and/or uncertainty are always to be interpreted in favor of the insured.

Similarly, a recent decision was also rendered in the context of an all-risks policy in Merck v. Ace following an aggressive malware attack. In June 2017, Merck’s computers were infected by malware which affected their computers in many countries around the world.  The “Notpetya” program infected 40 000 of Merck’s computers and cost the pharmaceutical giant $1.4 B in losses. Merck had purchased an “all-risks policy” which provided coverage for “loss or damage resulting from destruction or corruption of computer data and software”. Merck’s insurer argued that the attack was an act of war perpetrated by the Russian Federation as part of an offensive against Ukraine. Merck argued that it was not an official state action, but rather was a form of ransomware, and moreover that even if it was instigated by Russia to harm Ukraine, the exclusion would still not apply.

The Court in Merck held that it was noteworthy that the claim was made under an all-risks policy which “created a special type of insurance extending to risks not usually contemplated, and recovery under the policy will generally be allowed unless the policy contains a specify exclusion.” After a thorough review of case law on war exclusions, the Court “hesitantly” found “that the exclusion does not apply”.  In coming to this conclusion, the Court stated that no court has applied a war or hostile acts exclusion to anything remotely close to the facts presented to them. The evidence suggested that the language used in these policies had remained virtually unchanged for many years. It was also self evident, of course, that both parties to this contract were aware that various forms cyber attacks regardless of the source, have become more common. Despite this knowledge, the Insurer did nothing to change the language of the exemption and to reasonably put their insured on notice that it intended to exclude cyber attacks despite having had the opportunity and ability to do so Having failed to change this policy wording, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare and the court found that the exclusion was not applicable to the facts presented.[5]To our knowledge, there are no similar decisions involving malware in Canada for the time being.

While cyber-specific coverage is increasingly available on the market, the policies also frequently include exclusions involving War and Terrorism. This is problematic as such exclusions could be so broad that cyber insurance coverage could eventually be of questionable utility in the face of the increasingly technologically driven and geopolitical climate. Many solutions to this issue are being considered but it is critical for consumers to be aware of the breadth and limitations of the cyber coverage purchased by them and for insurers to update their policy language to reflect the true intentions of the parties.

Carriers should consider abandoning the traditional exclusions written before the rise of our technologically connected world and adopt precise and technology driven wording in their Policies in light of the above, to increase clarity of coverage while providing appealing products to clients in this emerging market space.


By Mary Delli Quadri and Alexandra Kallos

[1] Glenn S. Gersell, I’ve dealt with Foreign Cyberattacks. America Isn’t Ready for What’s Coming, March 4, 2022

[2] Diamond Shamrock Chemicals Co. v. Aetna Casualty & Surety Co., 609 A.2d 440 (N.J. Super. A.D. 1992), at pp. 472–3.

[3] Pilot Insurance Co. v. Tyre King Tyre Recycling Ltd (1992), 10 C.C.L.I. (2d) 264, [1992] I.L.R. ¶ 1-2851 (Ont. Ct. (Gen. Div.)).

[4] Club de Gold Oka inc., v. Continentale Compagnie d’Assurance du Canada, (1996) R.J.Q. 993 (S.C.), affd (1990) J.Q. No. 2616 (C.A.), leave to appeal to the SCC refused April 20, 2000.

[5] Merck & Co. Inc., and International Indemnity, LTD c. ACE American Insurance Company, et al., UNN-L-2682-18, p. 10-11