Cyber Insurance is going to be the biggest growth industry in Insurance Law. The entire area is one impressive morass of unlitigated coverage issues waiting to find a courtroom. These issues are all extremely new (especially relatively to the rest of property and casualty insurance, which is --even as law goes-- ancient) and constantly evolving.
Anthony Zelle summarized the latest developments for the DRI Insurance Committee newsletter recently. His work highlights the recent developments in the field and points out some of the pending issues like the latest ISO exclusion, whether pre-exclusion CGLs cover data breaches (per Zurich v. Sony), what counts as "identity information", and what counts as a covered "computer virus".
But even scratching the surface, new issues are opening up every day. For example, remember that the FBI recently charged five members of the Chinese military with corporate espionage. Apparently, foreign government spying on U.S. companies is a major problem.
On first read, government sponsored cyber crime might implicate the "war exclusion" found in some policies. A Travelers cyber risk policy designed to protect against data breaches, for example, provides as follows:
This CyberRisk Policy will not apply to any Claim or Single First Party Insured Event based upon or arising out of war, invasion, acts of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power, confiscation, nationalization, requisition, or destruction of, or damage to, property by or under the order of any government, public or local authority; provided that this exclusion will not apply to any “act of terrorism” as defined in the Terrorism Risk Insurance Act, as amended.
Travelers Policy CYB-3001 Ed. 07-10, Exclusion A. 2. (This policy actually excludes trade secrets and other intellectual policy coverage. It only protects against data breaches. I cite it solely as an example of a typical war exclusion.)
If Insured gets hacked by a foreign government, as the FBI alleged happened, and the policy has a war exclusion (that, for arguments sake, applies to intellectual property whether by case law or definition clause), should that hacking be excluded? I could see an Insurer arguing that government sponsored cyber crimes are "acts of foreign enemies" (especially since the clause explicitly does not require a declared war to trigger.) Or "destruction of, or damage to, property" (on the theory that stealing trade secrets damaged them to the extent one can damage intellectual property.)
Another example would be something similar to Stuxnet, which (according to Krebs On Security) was "apparently created as a state-sponsored project to delay Iran’s nuclear ambitions." If an insured's property is destroyed by a weaponized virus courtesy of a foreign government, it is hard to see how it would not be excluded.
The same issue would also occur if a foreign government decided to go into the (in point of fact incredibly lucrative) identity theft business. That may seem alarmist, but the world is full of bad actors and there is a ready market for stolen identities. As written, this policy might not cover data breaches caused by government sponsored hackers.
Obviously, insurance companies can just draft their way out of this. But I think it's a great example of how cyber liability will force us to rethink how we write policies. I never thought war exclusions were remotely important to Stateside clients before cyber insurance came along.