As warfare has evolved, has the insurance industry provided an adequate response?
At any point in time there will be war and hostilities taking place somewhere in the world. War- related risks are typically excluded from insurance policies and, where appropriate, written back in as extensions to cover or set out in separate insurance cover.
The standard war & civil war exclusion, NMA 464, was introduced following the Spanish Civil War of the 1930’s in the light of the realisation that ‘war’ was no longer the domain of the seas and military battlegrounds, but could lead to extensive damage to civilian towns when using long-range weapons.
Such destruction has sadly been seen in Ukraine in recent months. The invasion of Ukraine has also heightened existing concerns of an increase in ‘state-sponsored’ cyberattacks – ‘warfare’ in a different form. In today’s connected world, a cyberattack could impact anything from transport and utilities such as electricity supply to healthcare provision, with potentially widespread effects to people, property and organisations.
The underlying rationale behind the use of war exclusions was that the potential catastrophic losses of war, possibly crossing various insured sectors or types of policies, could jeopardise the solvency of insurers, so the usual means of assessing and predicting risks simply could not apply.
NMA 464 was not strictly limited to war – the word war being listed alongside civil war, rebellion, revolution, insurrection and so on. Amendments were introduced after the 9/11 attacks to take account of growing concerns of the separate risk of terrorism, which could be sizeable and affect many sectors at the same time, risking insurance industry capacity.
Meaning of war
With limited case law on the meaning of war, the primary approach is to apply the ordinary and popular meaning that a commercial person would use, having regard to all the policy terms and the purpose of the insurance contract. A Court would seek to identify the meaning intended by the parties to the insurance contract and not a technical legal meaning arising from international law.
It is not necessary, when considering the term ‘war’ in an insurance context, for there to be a formal declaration of war, and declarations of war have, in any event, become less fashionable. President Putin chose to describe the actions in Ukraine starting on 24 February 2022 as a ‘special military operation’.
Civil wars, such as that in Syria, are rarely declared as such and often have other nations involved too. It is difficult to define when a terrorist insurrection becomes a civil war. Quite when conflict becomes ‘war’ could still be problematic. However, it is a problem that is generally dealt with in war risks policies by the use of broad coverage language; words such as ‘war’, ‘civil war’, ‘terrorism’, ‘sabotage’, ‘political violence’, ‘riots’, ‘strikes’, ‘civil commotion’, ‘malicious damage’, ‘insurrection’, ‘revolution’ and ‘coup d’état’ may all be included in the wording. The breadth of the cover will depend on the language used.
Insurance sectors where war related risks could be insured
When insurance protection from the perils of war is provided, it has largely been in the domain of international transport, such as aviation, marine and cargo, or in relation to property. These risks are regularly monitored in terms of what realistically can be covered. For example, as regards marine hull related risks, the Joint War Committee updated the Listed Areas (where owners of vessels are required to notify underwriters of voyages due to perceived enhanced risk) on several occasions from mid-February 2022 onwards in respect of the Black Sea and Sea of Azov via JWLA-028, JWLA-029 and JWLA-030 and the position remains dynamic. In respect of property risks, insurers can rely on statements made in the proposal forms to restrict coverage in relation to ‘known conflict areas’.
Life policies often do not expressly exclude war risks, but an aggregate limit could apply with Group cover. At the application stage, a life cover applicant would typically (for individual/joint cover) be asked questions such as their occupation, whether they worked for the territorial army, whether they intend to go abroad other than on usual holidays and whether this could include countries that are perceived as higher risk, to assist with the assessment of the nature of the risk relating to that applicant.
Similarly, some life and travel insurers may offer cover for the separate risk of terrorism, subject to aggregate limits with Group cover.
In terms of Lloyd’s requirements, the general position is that, except in limited circumstances, war- related and NCBR (nuclear, chemical, biological or radioactive material used as a weapon) perils cannot be written without the prior agreement of Lloyd’s save for limited exemptions – see here.
Where there is a war / hostilities exclusion, sometimes a ‘passive war’ extension is agreed by the parties (although not generally for nationals in their country of origin) to provide an extension to conventional death or permanent total disability benefit cover if the insured person, beyond their control, is caught up in the consequences of war.
Changes post 9/11 – the RACE Clause
The RACE Clause (standing for Radioactive Contamination Exclusion) originated in the 1950’s from concerns that there might be an escape of radiation from a nuclear power station.
Concerns following 9/11 that a terrorist attack could involve a ‘dirty bomb’ – a conventional explosive with the addition of radioactive matter – led to the introduction of the Extended RACE Clause, which expanded the word ‘weapon’ to the phrase ‘weapon or device’. The Clause was also widened to exclude loss, damage or liability resulting from “the radioactive, toxic, explosive or other hazardous or contaminating properties of any radioactive matter”.
Were a Ukrainian-based nuclear power station to be damaged during the current conflict (which at one point was thought to have been a possibility at Chernobyl), leading to a spread of radiation, the nature and scope of the RACE Clause will come under close scrutiny.
Further changes were later introduced to the Extended RACE Clause – known as CL370 – due to concerns that electromagnetic pulse weapons could be used in an attack, which could disable electrical equipment including computers in a radius around the site of the explosion.
‘All-risks’ property policies would typically contain a war / hostilities exclusion and potentially have the option for a variety of extensions to cover, where agreeable. The prevalence of separate standalone cyber policies has also grown in recent years.
In 2017, the NotPetya malware attack first affected Ukrainian businesses via accountancy software on the eve of their Constitution Day. The name comes from the fact that it was not the ransomware known as Petya. The attack differed because once data was encrypted it was lost, and there was no decryption key that a victim could obtain by paying a ransom.
The malware attack spread, impacting a variety of business sectors across the globe. This cyberattack was widely attributed to the Russian Federation military and litigation ensued when war / hostilities exclusions were relied upon by ‘all-risks’ property insurers to avoid paying claims.
One such case is Merck v ACE in the US state of New Jersey. The exclusion in the property cover stated:
“A. 1) Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack:
a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval or air forces;
b) or by military, naval, or air forces;
c) or by an agent of such government, power, authority or forces;
This policy does not insure against loss or damage caused by or resulting from Exclusions A, B, or C, regardless of any other cause or event contributing concurrently or in any other sequence to the loss.”
Merck successfully argued that the cyberattack was not a hostile or warlike act, and that the exclusion did not apply as the cyberattack did not involve traditional warfare – despite the word ‘traditional’ not appearing in the exclusion. ACE have since appealed and developments are awaited in connection with this $1.4bn case.
War / hostilities-related exclusions are generally wide. In order to preserve a functioning and solvent industry, it is important that it retains the ability to responsibly assess the nature of risks that it can reasonably be anticipated to respond to.
The New Jersey Court’s rationale in the Merck case was that the cyberattack did not involve ‘traditional’ hostile activities; however, the word ‘traditional’ was not expressly used in the exclusion, so it was logical for that decision to face an appeal. A further flaw in that decision is that the case law that was referred to by the New Jersey Court would have been relatively old – there are few decisions to refer to and cyberattacks would not have been in contemplation at the time of those decisions.
A further difficulty faced by the courts is that cyberattacks are wide-ranging and a variety of methods of destruction and disruption are used. For example, in May 2021, a cyberattack was carried out on Ireland’s healthcare service (the Health Service Executive). This meant that health staff reverted to a paper system and appointments in some sectors of healthcare dropped by 80% in the days following the attack. Radiology departments were particularly affected due to their reliance on computers, along with cancer treatment. Although, the Russian-based ransomware group – Conti – reportedly handed over the encryption key, apparently for free, a week into that incident (rather than requiring the alleged £14m ransom), the effects of the attack were still being felt months later.
In 2018, in recognition of the widespread damage that terrorists could inflict by cyberattacks, the cover provided by the UK Government backed Pool Re was expanded to include damage by ‘remote digital interference’.
As cyber risks could arise in relation to a number of different scenarios, the UK insurance industry (through the Lloyd’s Market Association (LMA)), in November 2021 published four model cyber war and cyber operation exclusion clauses for standalone cyber insurance policies: LMA5564, LMA5565, LMA5566 and LMA5567 – see here. These are intended to provide options to Lloyd’s syndicates and promote consistency (which shall assist both brokers and insureds / customers), though LMA members remain free to devise their own wording or adapt the model clauses.
The rationale behind these model exclusions is to seek expressly to take into account modern conflict techniques whilst striking the balance between preventing uncontrollable accumulation of risks and providing carve-back of practical cover for insureds. It remains to be seen whether that will be achieved. Likewise, the extent to which war risks and allied perils insurance and reinsurance wordings will develop specific sections covering losses arising from cyberattack / remote digital interference (and how it will be aggregated; traditional event language involving unities of intent, cause, time and location would not seem very appropriate).
T: 0203 697 1910
M: 0750 182 5588
T: 0203 697 1906
M: 07780 221676
T: 0203 697 1902
M: 0788 764 5262
“This information has been prepared by Carter Perry Bailey LLP as a general guide only and does not constitute advice on any specific matter. We recommend that you seek professional advice before taking action. No liability can be accepted by us for any action taken or not as a result of this information, Carter Perry Bailey LLP is a limited liability partnership registered in England and Wales, registered number OC344698 and is authorised and regulated by the Solicitors Regulation Authority. A list of members is available for inspection at the registered office 10 Lloyd’s Avenue, London, EC3N 3AJ.”