Although cyber insurance is generally written via manuscript policies and thus, are unique in nature, cyber polices are becoming more robust and encompassing. However, one particular exclusion exists in the overwhelming majority of cyber insurance policies: cyber-attacks involving nation state hackers. While government-affiliated cybercriminals have been at the crux of recent cyber-talk, cyber insurance policies often “explicitly exclude acts of war and ‘warlike operations.’” Many policies “also exclude acts of broadly defined foreign enemies, government actors and terrorism,” said Robert Morgus, a policy analyst in New America’s International Security Program. This begs the question – who then, is responsible for attributing the cyber-attack following a cyber insurance claim?
A recent CyberScoop article suggests that carriers will likely avoid taking the insured to court over attribution regarding a cyber-attack. “Generally speaking, liability exclusion details are difficult to study because most cyber insurance contracts are confidential in nature,” Morgus explained. “Legal experts say there has yet to be a case where the insurance company or a breach victim have specifically challenged the attribution of an attack in court.” Nonetheless, exclusions regarding “acts of war,” from “nation state hackers” are common and in order to attribute the attack to the cybercriminal(s), the insurer will ultimately have to bear the costs of a digital forensic investigation. As a result, it is believed that carriers will continue to avoid such a potentially messy legal battle over attribution.