Wargames: Analyzing the Act of War Exclusion in Insurance Coverage and Its Implications for Cybersecurity Policy

Scott J. Shackelford
23 Yale J.L. & Tech. 362

Cyber risk insurance coverage has become an increasingly vital tool permitting both public and private-sector organizations to mitigate an array of cyber risks, including the prevalent issue of ransomware. However, despite the relatively rapid uptake of these policies, a series of issues and barriers emerged. Litigation has centered on issues ranging from what constitutes “covered computer systems” as many employees are working from home, to questions of negligence.

Among the most vexing issues, with arguably wide-ranging implications for not only the insurance industry, but on U.S. cybersecurity policy generally, consist of when a cyber attack attributed to a foreign nation constitutes an act of war thus excluding coverage. Yet, the literature to date has largely ignored this pressing issue, which holds the potential to inhibit, or even remove, a useful risk mitigation tool from companies that are already struggling to manage their cyber risk exposure. The absence of this issue from discussions about U.S. cyber deterrence strategy, despite the importance of insurance to many policymakers, is likewise questionable.