On May 15, 2019, President Donald Trump issued Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” which prohibits high-risk information technology transactions with entities under the jurisdiction of a “foreign adversary,” as determined by the Secretary of Commerce. While the executive order will affect buyers and sellers in a variety of industries, it’s influence may even extend to cyber insurance litigation. 

One area that may be affected is the interpretation of the standard war exclusion included in most cyber insurance policies as it applies to cyber hostilities. Specifically, the executive order may be interpreted as conflating private entities in foreign adversary jurisdictions with the foreign adversaries themselves, which could significantly broaden the range of entities that trigger the war exclusion under the terms of many cyber insurance policies. This could lead to a wave of coverage denials under the war exclusion and potentially a reconsideration of this standard policy language in the context of cyber.

As evidenced by Mondelez International’s recent lawsuit against Zurich American, the war exclusion is the latest battleground for cyber insurance litigation. The war exclusion at issue in the Mondelez lawsuit represents the language seen in many cyber insurance policies and reads:

“This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:

“[…] hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power (de jure or de facto); (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.”

One of the biggest challenges in applying traditional war exclusion language in the cyber context is proving that a particular hostile cyber operation was conducted by a state actor or is otherwise legally attributable to a state. Attributing cyberattacks is always a challenge, but it is particularly difficult in the context of state actors because cyber attacks executed for the benefit of a state are often put into action by citizens or private entities with only tenuous or heavily obscured connections to the state.

To read the full article, go to Forbes