Is International Hacking an Act of War?

tank

Historians will tell you that, despite the bloodshed in the Middle East and Africa, we are currently in one of the most peaceful periods in human existence. However, this era of ostensible peace has us wondering what future war will look like. Recent events may have answered that question. American financial institutions, however, may not like the answer.

Bank Hacking

The US Federal Bureau of Investigation (FBI), National Security Agency (NSA) and Secret Service are investigating a recent hacking event involving the theft of sensitive employee data including senior management personal information. Sources are reporting that the hackers were operating out of an external nation.

International hackers are not a new phenomenon for American banks. They are one of the reasons that sales of cyber insurance has boomed in he last few years. These particular hackers however are reported to have been government-sponsored.  The FBI believes the government in question may have been looking to punish the U.S. for its recent economic and military actions.

Let me repeat that: American financial institutions have been the target of alleged state-sponsored attacks.

The Critical Question

If one country attacks another country’s industries, is that war?

This brings us to a critical question. If a sovereign state sponsors the theft or destruction of the private property of another state’s critical industries, isn’t that war? There may be no tanks or drones involved, but the cost of the damages may be equal or even higher than if explosives were detonated.

If all that were not worrisome enough, let me add another concern: War is not generally insurable.

War Exclusions

Most insurance policies, including most cyber policies, contain certain limitations resulting from an “Act of War.” Though war exclusions in cyber policies vary, they generally fall into four categories:

  1. Those that exclude war but are silent on “terrorism” and “government led actions to hinder acts of war”

    … alleging, arising out of, based upon or attributable to any :…(3)strikes or similar labor action, war, invasion, military action (whether war is declared or not), civil war, mutiny, popular or military uprising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against any of these events…

  1. Those that exclude war, are silent on terrorism, but specifically exclude certain actions taken by governmental authority to hinder acts of war

    …based upon, arising out of or attributable to war including undeclared or civil war, warlike action by a military force including action in hindering or defending against an actual or expected attack by any government, sovereign or other authority using military personnel or other agents, or insurrection, rebellion, revolution, riot, usurped power, or action taken by governmental authority in hindering or defending against any of these

  1. Those that exclude war, are silent on terrorism, but specifically exclude certain actions taken by governmental authority and “acts of foreign enemies”

    Arising out of or resulting from, directly or indirectly occasioned by, happening through or in consequence of: war, invasion, acts of foreign enemies, hostilities (whether war be declared or not), civil war, rebellion, revolution, insurrection, military or usurped power or confiscation or nationalization or requisition or destruction of or damage to property by or under the order of any government or public or local authority

  1. And lastly those that are silent on war but exclude actions of of “domestic or foreign law enforcement, administrative, regulatory or judicial body or other governmental authority.”

    any action or order by any domestic or foreign law enforcement, administrative, regulatory or judicial body or other governmental authority


Insurers are reluctant to either remove these exclusions or define any of the words included in these exclusions. (The language can be cautious when it comes to defining whether that means a declared war.* )

What Then?

So if the probes under way by various government agencies determine that the attack was indeed state-sponsored, is that war? Will insurers in turn deny coverage because the losses were caused, not by private theft, but by one sovereign state hoping to inflict harm on another sovereign state?


This post was co-authored by Nadia N. Hoyte, Vice President at Willis’ FINEX North America practice since 2011.

 

*States loathe to officially ‘declare’ war in this day and age. The U.S. never formally declared war on North Vietnam, Afghanistan , or Iraq.

 

About Richard Magrann-Wells

Richard is a Executive Vice President with Willis Towers Watson’s Financial Institutions Group based in Los Angel…
Categories: Cyber Risk, Financial Services | Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *