Events such as the Covid pandemic and rising levels of cybercrime are encouraging insurers to revisit their policy wording to exclude certain events, write Sandra Sithole, partner, and Dr Ninakhulu Ntsanwisi, associate from Webber Wentzel.
Over the past three years, the world has suffered serious humanitarian and financial losses from the Covid-19 pandemic, climate change and catastrophic weather, political unrest and wars in central Africa, Europe and more recently, the Middle East.
Although the human costs of the pandemic have receded in the last two years, the number of lives lost owing to war and natural disasters is rising. In all circumstances, the full implications for insurance are still unfolding.
In the initial waves of the pandemic, many businesses tried to find out whether they were indemnified under their business interruption insurance policies for Covid-related losses. In South Africa, this question has largely been answered: the insurance industry has responded by removing Infectious and Contagious Diseases (ICD) extension from policies to indicate that it has no intention of covering such global risk.
Elsewhere, the courts are revising previously-accepted approaches towards concepts such as causation, aggregation, and the proper construction of key policy terms. This will differ between jurisdictions. In South Africa, the Supreme Court of Appeal held in the matter of Café Chameleon that government’s imposition of a lockdown in response to multiple outbreaks of a ‘notifiable disease’ was covered by the infectious diseases clause.
Recently, we have noted a shift towards litigation against insurance brokers for failures to adequately assess a business’ risk and advise and/or recommend ICD extensions. This avenue of litigation has not yet been tested in court.
In general, war exclusions are commonplace in All-Risks insurance policies. The specific language of war exclusions varies, but typically loss or damage arising from acts of war such as invasions, insurrections, revolutions, military coups, and terrorism are excluded. In South Africa, a war exclusion excludes cover for loss or damage to property, death or bodily injury related to or caused by “…war, invasion, act of foreign enemy, hostilities or warlike operations or civil war “or “any act (whether on behalf of any organisation, body or person or group of persons) calculated or directed to overthrow or influence any State or Government, or any provincial, local or tribal authority with force, or by means of fear, terrorism or violence”.
With the recent surge in cyber attacks, many businesses have had to take cyber security more seriously. Demand for cyber policy coverage has increased, but the cyber insurance market has not yet caught up with the challenges brought by, among other things, new war tactics such as cyber war and terrorism, which may not be adequately dealt with in traditional war and terrorism exclusions.
In recent years, war exclusions have found their way into stand-alone cyber policies. In many policies, a disconnect persists between traditional war and terrorism exclusions and the cyber risk itself. The insurance industry has to stay abreast of technological development to ensure that war exclusions are fit for purpose.
Firstly, the war exclusion clause is still based on the MultiMark III standard wording, which does not consider technological advancement or unpredictable changes in the digital space. The result is that existing cyber insurance may not fully protect businesses against cyber risks and insurers may inadvertently cover cyber risks when they do not intend to: “the silent cyber” problem.
Secondly, most cyber policies do not specifically exclude cyber war (cyber attacks that arise from war, invasions, hostilities, state sponsored terrorism and other warlike operations) and cyber terrorism (premeditated usage of disruptive activities against computer systems with the intention to intimidate or cause harm) or distinguish between the two. Some policies will cover cyber terrorism but not cyber war.
New exclusionary clauses
In an attempt to bring clarity, in August 2022, Lloyd’s of London released Market Bulletin Y5381, requiring its syndicates to include the following baseline exclusions clauses for state-supported cyber attacks in their policies from 31 March 2023:
* Exclude losses which arise from a war (declared or not), where the policy does not have a separate war exclusion;
* Exclude losses arising from state-supported cyber-attacks that significantly impair (a) the ability of a state to function or (b) the security capabilities of a state;
* Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in (a) and (b) above, by the state-backed cyber-attack;
* Set out a robust basis by which the parties agree on how any state-backed cyber-attack will be attributed to one or more states; and
* Ensure all key terms are clearly defined.
Other insurance providers may follow Lloyd’s example by excluding state-supported cyber-attacks from standard cyber insurance policies.
From a South African insurance perspective, there is certainly a need for businesses, led by brokers, to scrutinise current policy wordings to determine whether there is sufficient cyber cover, either in their All-Risks or standalone cyber policies.
Insurers should take care in wording exclusions to ensure that the policies clearly indicate what is covered and what is not. In South Africa, courts interpret exclusion clauses restrictively and any ambiguity will be interpreted against the drafter.