By: Kate Fazzini
The question that has haunted cyber insurance since NotPetya — when does a cyberattack count as an act of "war" that voids coverage — is back in front of underwriters and, increasingly, courts.
An Atlantic Council commentary this quarter noted that revised war-exclusion language, intended to give insurers clearer footing, has instead shifted the fight to attribution: an exclusion that hinges on state sponsorship forces the insurer to prove which government stood behind an attack, using the same murky evidence that frustrates policymakers. The result is uncertainty for exactly the critical-infrastructure buyers who most need reliable coverage.
JLCW authors anticipated this. "Cyber Insurance: An Incentive Alignment Solution to Corporate Cyber-Insecurity" (Volume 7, Issue 2) argues that insurance can push firms toward better security — but only if coverage terms are predictable enough to price. War-exclusion ambiguity undercuts precisely that alignment.
For the full analysis of how insurance can and cannot discipline corporate cyber risk, read the Journal of Law and Cyber Warfare, Volume 7, Issue 2. – Kate Fazzini