Prove It! Judging the Hostile-or-Warlike-Action Exclusion in Cyber-Insurance Policies
abstract. In late 2018, snack-food giant Mondelez International sued Zurich Insurance for improperly denying coverage for losses caused by the NotPetya computer virus. Zurich has asserted an exclusion for hostile and warlike actions by a sovereign or its agents. Zurich’s exclusion argument is not atypical; many standalone cyber-insurance policies contain similar provisions. As a result, the case has garnered significant attention among insurance experts. This Essay explores the challenges facing insurers and insureds litigating denials of coverage under the hostile-or-warlike-action exclusion. The current legal framework is not up to the challenge. To assert the exclusion successfully, the insurer must demonstrate both that the act was perpetrated by a sovereign or its agent and that the act is hostile or warlike. Given the nature of cyberattacks, insurers and insureds face significant hurdles on both fronts. This Essay explores the significant difficulties of accurately determining the source of a hack, analyzes the implications for determining insurance coverage with respect to the hostile-or-warlike-action exclusion, and offers several novel proposals for improving cyberattack attribution and adjudicating coverage disputes.
Introduction
In 2017, multinational snack-food company Mondelez International was a victim of the NotPetya malware attacks.1 That virus permanently disabled 1,700 of the company’s servers and 24,000 of its laptops.2 Its insurer, Zurich, denied coverage, asserting that the event fell within a policy exclusion for “hostile or warlike action . . . by any government or sovereign power . . . or agent or authority of [such a party].”3 The case, now being litigated in Chicago, has garnered significant attention among insurance-law experts and scholars.4
The case is emblematic of the coverage battles likely to arise out of similar exclusions in many cyber-insurance policies.5 Mondelez contends that Zurich’s application of this exclusion is unprecedented, particularly for an event other than conventional armed conflict.6 In court, Mondelez appears focused on the nature of the attack, rather than the identity of the perpetrator. However, the policy exclusion at issue has two important facets: who and why.
An insurer ordinarily must show by a preponderance of the evidence that an exclusion applies.7 With respect to the hostile-or-warlike-action exclusion at issue in Mondelez, Zurich must make two showings. First, the insurer must show that a government or sovereign power, or its agent, is responsible for the attack. Second, the insurer must establish that the loss was a result of hostile or warlike action. As this Essay will demonstrate, meeting both demands will prove difficult in court.
This Essay explores the issues that insurers and insureds are likely to face in litigating these coverage disputes. Part I begins with a background discussion of the rise of cyber insurance and discusses the rationale for policy exclusions such as the one at issue in Mondelez. Part IIexplores the challenges associated with attributing a breach to a particular source. Part III discusses the problems associated with determining whether the attack constitutes a hostile or warlike action. Finally, Part IV offers several possible solutions in creating a legal regime capable of adjudicating these coverage disputes.
I. background on cyber insurance
Through litigation and policy revisions, insurers have resoundingly demonstrated their unwillingness to provide coverage for cyber breaches under general liability policies, including the Commercial General Liability (CGL) policy—the insurance policy companies purchase to provide protection against a broad range of claims.8 While insurers have yet to provide a clear reason for the denials of coverage, several factors drive their decisions.
First, insurers possess incomplete data on the probability and size of losses that could result from a cyberbreach. The “law of large numbers”undergirds risk-spreading, which incentivizes insurers to provide coverage.9 The larger the pool of insured risks, the smaller the risk will be to everyone in the pool, on average.10 Calculating the risk and being able to combine it with enough other similar risks is crucial to an insurer’s remaining solvent.11 As a result, insurers are hesitant to offer coverage “against events where the probability of an occurrence is ambiguous either because there are limited statistical data and/or experts have different theories as to underlying causal mechanisms.”12
Second, events that can produce large losses because the risks are correlated, as is the case with cyberattacks, compound insurers’ concerns.13 Correlated risk refers to the simultaneous occurrence of numerous losses from a single cause or event.14 These risks, along with those very rare events for which the insurer cannot gather sufficient data to predict, create underwriting difficulties for insurers.15 Actuarial data is either unavailable or indicates that premiums must be so high that consumers would choose not to purchase the insurance.16
Third, it is possible that cyberbreaches fall into a category of uninsurable phenomena.17 For example, war and terrorism are frequently excluded from all lines of insurance coverage because they exhibit these challenges.18 Indeed, “[w]ar creates the ‘perfect storm’ of actuarial nightmares: a correlated, catastrophic, ongoing clash event.”19 Terrorism occurs so rarely that insurers lack sufficient data to price insurance.20 Insurers are left to price terrorism-insurance premiums based on best guesses regarding the likelihood and size of losses.21 The federal government now reinsures terrorism risk due to the difficulties associated with appropriately pricing the insurance.22 Cyberbreaches, being unpredictable, highly correlated, and costly, possess several of the qualities that make pricing coverage difficult.
The challenges in pricing cyberbreaches have led insurers to offer standalone cyber-insurance plans. Like all insurance policies, cyber policies contain exclusions rooted in insurers’ judgments about risks they do not intend to cover. Specifically, cyber insurers have crafted exclusions for losses resulting from warlike actions, terrorism, and attacks by foreign enemies, governments, and sovereigns or their agents.23 Implementing these exclusions in the cyber realm, however, is particularly difficult. Hackers can mask their identity, making it difficult to ascertain the source of a breach. Additionally, incomplete information makes it difficult to ascertain the purposes of a breach—whether criminal, terroristic, or warlike action. Thus, cyber insurers may pay for losses they did not intend to insure or deny payment for losses that should have been covered.
II. identifying the perpetrator
The hostile-or-warlike-action exclusion hinges in part on the perpetrator’s identity. Insurers can only claim the exclusion if a sovereign or its agent carries out the breach. As a result, determining an insured’s right to coverage depends in large part on “attribution”—ascertaining the perpetrator’s identity. The attribution problem raises significant technical and political challenges.24 Hackers have myriad tools for hiding their identity. Even where the technical challenges can be overcome, governments may be reticent to identify the source of the attack for political reasons.25
A. Attribution Challenges
A core challenge of cyberattack attribution is evidentiary. Cyberattack attribution requires examining electronic evidence, including server logs, IP addresses, other basic identifiers, and strings of code for digital signatures.26 Even when sufficient electronic evidence can be gathered, it can be misleading.27 Hackers have numerous technical tools to cover their tracks.28 They can spoof their IP address—making it look like the hack emanated from another computer—use proxy servers to hide their original location, harness the computing power of numerous computers, or use any number of other tools that capitalize on the anonymity afforded by the internet’s architecture.29 Thus, even when investigators are able to gather what appears to be relevant evidence, significant hurdles remain. Given the current geopolitical climate, the true perpetrator may disguise its identity in a “false flag” operation—using technological means to frame another group or nation for a breach.30
The cyberattack at the opening of the 2018 Olympics in PyeongChang, South Korea illustrates these evidentiary issues. There, hackers “used a blend of techniques, tools, and practices that blended the fingerprints of threat groups connected to North Korea, China, and Russia.”31 Moreover, they routed traffic through North Korean IP addresses in an effort to mask their origin.32 While Russia was initially believed to be the likely source, private security groups also suspected Chinese or North Korean hackers.33
In addition to its evidentiary challenges, attribution has become a geopolitical issue.34 Nations have competing incentives when publicly attributing cyberattacks. On the one hand, there is a significant incentive to exercise restraint.35 Governments must consider the potential for unwanted escalation or strained diplomatic relations resulting from publicly accusing another sovereign state.36 Restraint is particularly important given the technical difficulties of accurately attributing cyberattacks. Even physical attacks can be difficult to attribute, and governments are unlikely to ever be one hundred percent certain of an attribution. Cyberattackers, however, actively seek to mask their identities and misdirect investigators—making accurate attribution even more difficult. On the other hand, states also have significant incentives for exaggerating their technical prowess by publicly attributing an attack even in the face of uncertainty.37 For example, identifying the source of an attack can promote deterrence. A state launching a cyberattack will be forced to consider the ramifications knowing, or at least believing, that its identity will be discovered.
B. Classified Information in Attribution Disputes
The presence of classified information also presents challenges to attribution. Governments attributing cyberattacks often rely on classified information. In Mondelez and similar cases in the future, the insurer could be left with only press releases, news reports, and bare assertions regarding the perpetrator’s identity. Private insurers may be unable to muster meaningful evidence in support of their assertions that a sovereign was responsible for an attack.
The 2014 Sony Pictures hack exemplifies the kind of public/private disagreement resulting from this information asymmetry. Hackers took over Sony’s internal computer system and released stolen data, including personal information about employees, internal emails, executive salaries, and copies of unreleased films and scripts.38 Shortly after the breach, the FBI confirmed that it was investigating the incident.39 As information leaked, North Korea denied any involvement, but commended the attack as a righteous deed.40 The nation had previously expressed its displeasure with Sony’s planned release of The Interview, a satirical film about the assassination of the North Korean leader.41
Relying on confidential information, a U.S. official stated nearly a month after the breach that North Korea was indeed the culprit.42 The FBI confirmed this attribution shortly thereafter, marking the first time a government agency had formally blamed a foreign government for a cyberattack.43 In a statement, the FBI announced that “in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions.”44 Despite these assertions, many remained skeptical of the evidence.45
Several weeks later, the FBI met with experts from the private security firm Norse.46 The company made its case that North Korea was not responsible for the hack. Norse shared information it believed supported the theory that several individuals, including a former Sony employee, were behind the attack.47 The FBI maintained its position that the North Korean government was responsible.48 It refused to share information with Norse, citing a need to protect sources and methods.49 Lending increased credibility to the FBI’s attribution, the New York Times would later reveal that the NSA had breached North Korea’s networks prior to the attack.50
While private companies have narrowed the gap with the government in their abilities to conduct postattack investigations, they remain at an informational disadvantage.51 The government has a monopoly on the intelligence community capabilities that assist in attribution.52 The NSA collects vast amounts of signals intelligence, intercepting foreign communications and hacking foreign adversaries.53 The FBI and Secret Service engage in similar activities domestically.54 These and other intelligence and law-enforcement agencies can rely on information unavailable to the private sector to inform diplomatic and military responses to cyberattacks. The Obama Administration made executive and legislative efforts to increase information sharing, but further transparency faces a number of hurdles.55
The attribution problem poses significant problems for the hostile-or-warlike-action exclusion. Insurance coverage requires private actors to indemnify the insured for losses, without complete access to information. Hackers expertly cover their tracks, and the government will resist disclosing any classified information regarding its attribution.56 Thus, an adequate framework must solve both aspects of the problem—correctly identifying the perpetrator and protecting the classified information that led to the identification.
With the burden on the insurer to support its assertion of a policy exclusion, how could a court or jury find for the insurer? Should the insured bear the burden of proving coverage? Ordinarily, the insured must make only a prima facie showing of coverage.57 The insurer then bears the burden of establishing the applicability of an exclusion by a preponderance of the evidence.58 The insurer, however, will have incomplete information about the source of the attack. If a case involves classified intelligence, the government will assert the state secrets privilege and courts will dismiss coverage disputes.59 This process will make insurers the de factofinal word on coverage. Reputational harm to insurers from repeated, wrongful denials of coverage would be insured’s only protection from overzealous and improper application of the exclusion.
III. classifying the attack
The hostile-or-warlike-action exclusion also hinges on the nature of the attack. The terms “hostile” and “warlike” are not self-defining, and courts have interpreted them as having independent meaning. In addition to the identity of the attacker, the warlike-action exception is concerned with the nature of the attack. Pan American World Airways v. Aetna Casualty and Surety Co.60is the leading case interpreting the exclusion of “warlike action.” In that case, a Pan Am jet was hijacked and destroyed by a group working for the Popular Front for the Liberation of Palestine (PFLP). The district court determined that the hijacking was “designed to serve as a spectacular display, as a round of ‘symbolic blows,’ as propaganda of a vividly compelling sort.”61 Due to the purpose of the attack, the district court reasoned that the act was not intended to be an act of war or a warlike operation against the United States or Israel. Additionally, because a state actor did not carry out the attacks, the hijacking did not fall within the policy exclusion, so the insurer had to pay.
On appeal, the Second Circuit affirmed the district court’s ruling. The Second Circuit explained that courts interpret the warlike-action exclusion “in accordance with the ancient international law definition: war refers to and includes only hostilities carried on by entities that constitute governments at least de facto in character.”62 The Second Circuit also agreed that the PFLP’s actions did not constitute “‘warlike operation[s]’ because that term does not include the inflicting of damage on the civilian property of non-belligerents by political groups far from the site of warfare, particularly when the purpose is propaganda.”63
Although Pan Am is instructive, it merely provides guidance on what actions do not constitute a warlike action. Pan Am left unanswered, however, the question of which elements do. Must an action be taken in furtherance of a “legitimate military objective”64 to be warlike?
The Mondelez case shows the difficulty in litigating cyber-insurance disputes absent a clear list of elements for the warlike-action exclusion. For example, does a breach need to occur “near the site of warfare” to trigger the exception? The Second Circuit’s opinion in Pan Am could be used to support the claim that it does.65Of course, unlike traditional warfare, the “site of warfare” for a cyberbreach presents a number of issues, the most obvious being the lack of a clear geographic area of conflict. Even if courts determine that “sites of warfare” are independent of physical location for the purposes of cyberattacks, insurers may be able to sidestep these thorny issues by invoking the hostile-act exclusion instead.
Courts have offered little guidance on the insurance meaning of the term “hostile act.” They may turn to a variety of sources, including the dictionary, to determine its meaning. Merriam-Webster’s dictionary defines “hostile” as (1) “of or relating to an enemy” or (2) “marked by malevolence: having or showing unfriendly feelings.”66
A broad interpretation of “hostile act” could lead to controversial exclusions. For example, Chinese hackers have engaged in acts that may qualify, breaching biotechnology, mining, pharmaceutical, professional services, and transportation firms for years.67 Chinese government hackers’ theft of intellectual property is on the rise.68 These actions are often characterized as “economic espionage” against the United States.69 Despite their destructive effects, these hacks seem to meet the insurance definition of “warlike actions” less clearly than do breaches intended to infect and cripple computer systems, as happened to Mondelez. Under a broad interpretation of “hostile act,” however, the theft of intellectual property via government-backed cyberintrusion could be excluded from coverage. Indeed, courts could quite reasonably conclude that the theft is “marked by malevolence.”70
Ultimately, a broad interpretation of the hostile-or-warlike-action exclusion could prove problematic. An expansive interpretation of “hostile act” may leave little remaining coverage. For instance, coverage might only exist for accidental disclosures, which are already covered by other policies.71 An insured could argue that its policy provides “illusory coverage”—excluding the very losses it appears to cover. Indeed, the standalone cyber-insurance policy developed as a response to the coverage gaps arising out of insurers’ refusal to insure cyberbreaches in general liability policies. Yet their policy exclusions are worded in a way that, especially if read broadly, may leave many of those gaps unfilled. And if an insured were to succeed in an illusory coverage claim, the court could reform the policy to bring it into alignment with the insured’s reasonable expectations.72 In such a case, the insurer would be forced to pay a claim for which it had not taken actuarial account.
IV. four avenues for reform
This Part considers several solutions from the cybersecurity and national security literature to assess whether they could alleviate the cyber-insurance market’s difficulties. First, the government could create an entity akin to the National Transportation Safety Board (NTSB) to attribute cyberattacks. Second, the government could expand the Classified Information Procedures Act (CIPA) to apply in civil trials, and/or employ the Silent Witness Rule (SWR) to address the difficulties associated with using classified information in attributing cyberattacks. Third, courts could shift the burden of proving an exclusion’s applicability from the insurer to the insured. Fourth, the government could create a national security court capable of handling, among other important issues, insurance-coverage disputes involving sensitive national security information. This would allow the state to avoid the classified-information problem as well as the foreign-policy issues related to publicly adjudicating cyber-insurance disputes.
A. The National Cybersecurity Safety Board
Over the last few years, there has been increasing support for the creation of a cybersecurity entity modeled on the NTSB.73 The NTSB, which is responsible for determining the causes of all civil-aviation accidents and significant accidents involving other forms of transportation,74 focuses exclusively on investigation, rather than oversight.75 It lacks any enforcement authority.76 Nonetheless, according to some, the Board plays a crucial role in improving air safety.77 Its success has led to proposals for the creation of an analogous independent government agency responsible for investigating cyberbreaches.
In 2014, an NSF Cybersecurity Ideas Lab group suggested creating an NTSB analogue charged with analyzing cybersecurity incidents and providing public reports on the circumstances and causes of each.78 This agency could also cooperate with law-enforcement and national security agencies, assist with post-incident investigations, and make policy recommendations.79 In a 2017 report, the Center for Strategic and International Studies suggested that a body modeled on the NTSB or the Federal Aviation Authority’s Aviation Safety Reporting System could give companies an opportunity to report cyberbreaches without fear of regulatory repercussions.80
In 2018, Scott Shackelford and Austin Brady expanded on these calls for the creation of a National Cybersecurity Safety Board (NCSB).81 Its purpose, they argue, would be to attribute cyberattacks and offer guidance to prevent future attacks. They called for the NCSB to investigate beyond the technical causes, examining the institutional culture issues that lead to being the victim of a data breach.82
There may, however, be impediments to the success of an NCSB. Shackelford and Brady overlook, or at least underestimate, the incentive to litigate the attribution of cyberattacks. Hundreds of millions of dollars may be at stake in an attribution.83 Should litigation arise, the NCSB would do little to aid in adjudicating coverage disputes, particularly if the board relies on classified information to attribute attacks. While the creation of an NCSB may result in long-term, widespread changes in cybersecurity practices and may even alleviate some of the attribution challenges, the agency is insufficient to address the litigation troubles that will undoubtedly arise. The following proposals provide jurisprudential solutions that more directly address the difficulty of adjudicating coverage disputes.
B. The Classified Information Procedures Act
Protecting sensitive intelligence information from public disclosure is important for effectively adjudicating cyber-insurance coverage disputes. Currently, CIPA only protects classified information in criminal trials.84 The Act provides a number of measures to keep classified documents and information out of the public record and, sometimes, out of the defendant’s hands. Those measures include substituting both unclassified summaries of relevant documents and materials, and unclassified statements that admit the relevant facts.85 Courts have supplemented CIPA with the judicially created SWR, which allows a witness to testify in code regarding sensitive information, with the parties and the jury given the key.86 There is no equivalent law or set of procedures to address the use of classified information in civil cases.87
Expanding CIPA to civil cases could allow parties to litigate coverage disputes more fully.88 Currently, the state secrets privilege is the government’s only method of protecting sensitive information in civil cases.89 Unlike CIPA, the state secrets privilege does not preserve the classified nature of evidence and permit its use at trial.90 Instead, the court must merely decide whether the information qualifies as a state secret, and if so, it excludes the evidence.91 As a result of those evidentiary rulings, many civil cases involving alleged state secrets are dismissed.92 By adopting a CIPA analogue for the civil context, the federal government could provide information regarding its attribution while shielding highly sensitive information from the public.93
Despite the allure of the CIPA, it may not provide a perfect solution. First, CIPA requires the recipient of the information to have a security clearance.94 This process could lead to significantly increased litigation costs and delays. 95 Under a CIPA-like regime, the government would have to clear either the parties’ representatives, their counsel, or both in order to divulge the classified information. Even where repeat players are involved, the nature of modern litigation is such that insureds retain many different law firms. The government would need to clear these lawyers on an ad hoc basis or require that previously cleared counsel be appointed.96 In addition to the administrative difficulties, CIPA’s clearance requirement has been criticized for allowing courts to prevent defendants from seeing evidence in their own cases.97 Indeed, CIPA allows the court to “issue protective orders prohibiting cleared counsel from sharing any classified information with the defendant.”98One case, United States v. Yunis,provides “[a] stark example of [the] leeway granted to the government . . . . [T]he court held after an ex parte review of the information . . . that the defendant was not entitled to his own tape-recorded statements because they were not ‘helpful to the defense of [the] accused.’”99 These concerns are less significant, however, in the insurance-coverage context. The government will not be a party to these lawsuits. And these cases merely involve disputes over money.
Second, the government may object to the use of classified information even if a court finds the substituted unclassified summaries inadequate.100 If the court determines that a substitution under CIPA § 6(c) is inadequate, it enters a disclosure order.101 The Attorney General, however, has the authority to oppose the use of the classified information. Were the Attorney General to oppose a court’s disclosure order, the court might sanction the government—“striking all or part of a witness’[s] testimony, resolving the issue of fact against the United States, or dismissing part or all of the indictment.”102 Thus, expanding CIPA may simply result in a game of chicken between the executive branch and the judiciary.
C. Shifting the Burden of Proof
Perhaps the simplest solution is to shift the burden of proving the applicability of a policy exclusion from the insurer to the insured. Ordinarily, the insured must only establish a prima faciecase for coverage and the insurer bears the burden of proving that a particular loss is excluded under the policy’s terms.103 Reversing the burden—requiring the insured to prove the inapplicability of a policy exclusion by a preponderance of the evidence—would allow cases to proceed that would otherwise be dismissed on state secrets grounds.104 The insured’s expert would testify fully regarding the evidence underlying their attribution to a nonstate actor. The jury could then evaluate whether the insurer has adequately rebutted the presumption that the perpetrator was a state actor. While this solution requires the least structural reform of those discussed in this Essay, shifting the burden creates a peculiar inconsistency—the presence of an insurance policy is coupled with a presumption of lack of coverage. Additionally, merely shifting the burden leads to coverage disputes hinging on the burden, rather than the truth. We would be trading a system in which the insured always loses when the insurer asserts the policy exclusion (because the state secrets privilege and subsequent dismissal would lead insurers to have the final word on coverage) to a system in which the insurer always loses (because the crucial evidence to rebut the presumption of coverage would be classified).105 Shifting the burden provides an easily implemented but ultimately unsatisfying solution to address the complex problem of adjudicating cybercoverage disputes involving the hostile-or-warlike-action exclusion.
D. The National Security Court
The creation of a National Security Court (NSC) is another possible approach for addressing coverage disputes arising out of cyberbreaches. For over a decade, scholars, practitioners, and government officials have debated the merits of an NSC in adjudicating terrorism-related matters.106 The NSC, according to its proponents, would avoid burdening ordinary civilian courts with the extraordinary measures necessary to litigate terrorism cases.107 In a 2007 article, Jack Goldsmith and Neal Katyal suggested that an NSC may also help solve some of the challenges faced in civil cases involving national security issues.108 The article, however, provided few details on how the court would operate or which civil matters it should try. Former Assistant United States Attorney Andrew McCarthy echoed calls for an NSC in a 2009 working paper, as have other lawyers. 109
The NSC’s jurisdiction could extend to critical questions in cyber-insurance coverage disputes given their nexus to national security. This would be particularly useful in cases involving allegations that state-sponsored or nation-state actors are responsible, for instance those to whom the hostile-or-warlike-action exclusion might apply. Not all cyberbreaches, however, implicate national security concerns. When a breach arises out of ordinary criminal conduct, hearings before the NSC may not be needed. It may be initially unclear whether a case implicates national security issues. However, a transfer procedure could be implemented, allowing cases to be removed from ordinary federal courts to the NSC.110 Additionally, to protect national security, the court, rather than a jury, could decide all cases. Finally, like the Foreign Intelligence Surveillance Court (FISC), which rules on warrants under the Foreign Intelligence Surveillance Act (FISA), the NSC could issue all decisions under seal.111
In implementing the NSC, policy-makers must remain mindful of the larger regulatory framework. At least for publicly traded companies, SEC filings could indirectly reveal a court’s decision that a loss is covered under the insured’s policy.112 These filings include insurers’ aggregate claims paid for the year. While small payouts may go unnoticed, substantial payouts might raise red flags.
To be sure, the creation of an NSC does not enjoy unanimous support.113 Much like the FISC, the NSC would operate largely in secret.114 Thus, the NSC could face similar criticisms regarding a lack of transparency in decision-making.115 This is a significant criticism of the FISC, whose decisions can grant the government permission to legally infringe on an individual’s civil rights. The NSC may suffer the same ills in much of its docket. With respect to insurance disputes, however, these concerns are less significant. Cyberattacks certainly can be important national events. And the perpetrator’s true identity may be valuable information to the public. Ultimately, however, the court would merely be deciding a business dispute between two companies. Additionally, without such a court, insureds may be left without a means of accurately adjudicating the coverage dispute. The NSC might offer the best solution for addressing coverage disputes involving cyberbreaches. It provides a comprehensive solution with relatively limited drawbacks.
Conclusion
Cyberattacks continue to grow in sophistication and frequency. The cyber-insurance market is growing in response. Many insurance policies, however, contain exclusions for hostile-or-warlike actions perpetrated by a government and its agents. The skirmish between Mondelez and its insurer Zurich highlights the importance of considering the meaning and applicability of this exclusion. Insurers face difficulties when trying to make sure that they provide coverage only for those losses they intended to cover, and that they have taken actuarial account of the insured’s premiums. Current procedures are likely to prove inadequate for attributing these attacks and adjudicating coverage disputes. Creating alternative procedures for attributing attacks and handling classified information in the resulting civil cases may allow these disputes to be resolved more effectively.The creation of an NCSB may help alleviate some of the difficulties in attributing cyberattacks by assigning the task to one agency. The agency, however, would not be able to stop attribution disputes and resulting litigation over cyber-insurance coverage.
We must therefore consider jurisprudential solutions for the disputes that do head to the courtroom, such as the expansion of CIPA, shifting the burden of proving the applicability of a policy exclusion, or the creation of an NSC. While all three jurisprudential solutions have drawbacks, an NSC empowered to hear insurance-coverage disputes offers the best avenue for increasing the likelihood that coverage determinations are accurately made in the wake of cyberattacks. Future scholarship should consider details regarding the structure of the court, appropriate means for staffing the court,116 and the procedures for transferring cases. These issues and their solutions will continue to grow in importance as the number of cyberattack victims grows and the victims turn to their insureds to indemnify the losses.
Adam Shniderman is a member of the University of Michigan Law School, class of 2020. He holds a Ph.D. in Criminology, Law, and Society from the University of California, Irvine and a B.A. in Law, Jurisprudence, and Social Thought from Amherst College. Prior to law school, he spent three years as a tenure-track Assistant Professor of Criminal Justice. Thank you to Professor Kyle Logue for his thoughtful comments on prior drafts of this Essay and to the Yale Law Journal editors who have worked on this piece.