Executive Order 13873 Could Expand The Reach Of War Exclusions In Cyber Policies
By Daniel Garrie (July 16, 2019)
On May 15, 2019, President Donald Trump issued Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” which prohibits high-risk information technology transactions with entities under the jurisdiction of a “foreign adversary,” as determined by the Secretary of Commerce. While the executive order will affect buyers and sellers in a variety of industries, it’s influence may even extend to cyber insurance litigation.
One area that may be affected is the interpretation of the standard war exclusion included in most cyber insurance policies as it applies to cyber hostilities. Specifically, the executive order may be interpreted as conflating private entities in foreign adversary jurisdictions with the foreign adversaries themselves, which could significantly broaden the range of entities that trigger the war exclusion under the terms of many cyber insurance policies. This could lead to a wave of coverage denials under the war exclusion and potentially a reconsideration of this standard policy language in the context of cyber.
As evidenced by Mondelez International’s recent lawsuit against Zurich American, the war exclusion is the latest battleground for cyber insurance litigation. The war exclusion at issue in the Mondelez lawsuit represents the language seen in many cyber insurance policies and reads:
“This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:
“[…] hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power (de jure or de facto); (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.”
One of the biggest challenges in applying traditional war exclusion language in the cyber context is proving that a particular hostile cyber operation was conducted by a state actor or is otherwise legally attributable to a state. Attributing cyberattacks is always a challenge, but it is particularly difficult in the context of state actors because cyber attacks executed for the benefit of a state are often put into action by citizens or private entities with only tenuous or heavily obscured connections to the state.
The language of the executive order appears to be designed to address this issue. The executive order prohibits:
“Any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service (transaction)…where the Secretary of Commerce (Secretary)…has determined that:
“(i) the transaction involves information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
“(ii) the transaction:
“(A) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
“(B) poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or
“(C) otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.”
The italicized text above appears to imply that any citizen or entity under the jurisdiction of a foreign adversary is automatically associated with the foreign adversary regarding malicious cyber operations. In the president’s eyes, the unrestricted acquisition of information technology goods and services with entities under the jurisdiction of a foreign adversary “augments the ability of foreign adversaries to create and exploit vulnerabilities.” In this way, the executive order may be interpreted as an attempt to break down the dichotomy between private entities and state actors that has contributed to the challenge of attributing cyber operations to state actors.
Insurers may use this to support their arguments for denying coverage under the war exclusion in instances where a cyber attack can be traced in any way to entities subject to the jurisdiction of a foreign state. Given there is no legal precedent for the applicability of the war exclusion to cyber operations, citing the executive order could be persuasive. At the very least, it would give the courts a sense of the commander in chief’s stance on the issue.
From the president’s perspective, the conceptual goal of establishing and characterizing foreign adversaries in the context of a cyber setting may be even more important than the practical goal of prohibiting high-risk technology transactions. The executive order only applies to transactions involving entities that the secretary of commerce considers foreign adversaries. While there are practical reasons to focus preventative measures on entities with a history of targeting the United States, the executive order does nothing to address the possibility that a severe cybersecurity risk could come from an entity that the secretary of commerce has not classified as a foreign adversary.
The singular focus on foreign adversaries implies that the commercial mandate of the executive order is merely a vehicle through which the president can push the idea that private entities are helping foreign adversaries engage in cyber attacks and therefore should be considered foreign adversaries as well.
In the context of cyber insurance litigation, courts might find that the president’s perspective has merit and maybe they won’t. While it is undoubtedly true that some private entities cooperate with state actors to commit cyber attacks, courts may be reluctant to assume that all do so.
Regardless, the president’s viewpoint is out there, right or wrong, and defending the nation against cyber warfare is ultimately his responsibility. Without the refuge of legal precedent, courts will be forced to at least consider this perspective. And if courts find it persuasive, even to a small degree, it could radically alter the landscape of cyber insurance by opening new possibilities for insurers looking to deny claims under the war exclusion.