Commercial property and liability insurance policies typically contain exclusions for terrorist acts. Terrorism exclusions became industry standard following 9/11, the largest single insured loss ever, with estimated damages between $30 – $70 billion. With reinsurers thereafter making the terrorism exclusion a condition of reinsurance, primary carriers quickly adopted terrorism exclusions that are so common today that it’s pretty much taken for granted that policies will include them.
The London-based Cyber Risk and Insurance Forum (CRIF) recently offered two statistics illustrating why the same fait accompli attitude cannot be taken with respect to cyberinsurance. CRIF reported that 58% of hacking activity emanates from entities or individuals that could be characterized as terrorists, or “hacktivists,” meaning that the breach had political, social, religious or other similar motivations. CRIF further reported that in the London market, nearly 80% of policies examined excluded this type of risk. Simply stated, a majority of policies did not cover a majority of the relevant risk.
There is no case law illustrating what is and what isn’t cyber terrorism. There have, however, been headline grabbing hacks that carriers would likely view as within the scope of a terrorism exclusion. In 2014, the “Guardians of Peace” hacked into Sony Entertainment’s network and threatened 9/11 style attacks at theaters that showed the film, “The Interview,” a movie premised upon an assassination attempt on North Korean Supreme Leader Kim Jong-un. Sony cancelled the movie release and President Obama increased sanctions on North Korea.
The 2015 Ashley Madison hack involved a fact pattern more along the lines of a law school exam, where a compelling case could be made for or against application of a terrorism exclusion. The “Impact Team,” a vigilante justice group, threatened as follows: “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.” By other websites, the Impact Team meant “Cougarlife.com.” Apparently, that site did not offend the Impact Team’s social or moral agenda.
Was the Ashley Madison hack an act of terror? It would likely depend on the policy language. But with more than half of cyber risk at least arguably within the scope of terrorism exclusions, these exclusions cannot be taken for granted as in other contexts.