A cyber liability policy covers first-party liability (property and theft) and third-party liability (privacy and data security). First-party liability is for disclosure notification costs, crisis management expenses, business interruption expenses, damage resulting from theft, and damage resulting from threats (including the cost of professional negotiators and ransom). Third-party liability is for lawsuits that seek damages resulting from unauthorized access to or dissemination of an individual’s private information, intellectual property infringement and reputation injury (including suits alleging libel or slander). Damages incurred as a result of war are excluded from coverage under a cyber liability policy because it usually precludes coverage for damage arising from “insurrections,” “riots,” “civil commotion,” “hostilities,” and “acts of war.” Most cyber liability insurance policies don’t even define such terms.
The Second Circuit in Pan American World Airways v. Aetna Casualty & Surety Co. found that hijacking is not a warlike act because the language in the “war” exclusion all related to violent acts. While the action of hijacking in Pan American was found to be violent, the action was not state-sponsored and did not fit within the policy’s exclusion. If violence is a necessary component of establishing a warlike action, it is unlikely cyber espionage will fit within the war exclusion provision of a typical cyber liability policy. Cyber espionage usually amounts to, at most, theft and spying. And, in the field of international diplomacy, espionage in all forms has been long recognized as an acceptable and legal form of information gathering.
If the “war” and “terrorism” exclusions in a cyber liability policy preclude coverage, the issue for coverage then turns on the intent of the attacker and the definition of war and terrorism.