b'TABLE OF CONTENTSCYBERSECURITY & DATA PRIVACY Below, we highlight some key trends companiesand that such exclusions had historically only ever can expect as they consider how insurancebothapplied to traditional forms of warfare. Notably, cyber and general policiescould help tothe court highlighted that when policy language mitigate cybersecurity risks. creates ambiguity, the policy should be interpreted to conform to the reasonable Coverage Disputes and Uncertainty expectations of the insured.One constant in the insurance market that is likelyThis case is unlikely to be the last word on this to persist for the foreseeable future is uncertaintytopic. At a time of rising international tensions with respect to coverage for losses arising fromand increasing use of cyber operations to cyber incidents. Historical data about the scopeaccompany or replace traditional uses of armed and scale of losses are limited, and there can be aforce, questions around the scope and extent of lack of clarity as to what is covered by new policypolicy coverage and exclusions in cases of nation-terms such as cyberterrorism. Multiple reportsstate sponsored cyber attacks are likely to remain from government and industry sources attest tocontentious and significant.the lack of clarity around how key terms that set the scope of coverage are or should be defined,Expanded Coverage Limitationsreducing predictability for both insureds andIn response to the risk of unanticipated losses, insurers. It is reasonable to expect continuedsome insurers are taking steps to clarify and limit dispute and litigation over the proper scope ofthe scope of policy coverage through new policy coverage as companies face previouslyexclusions that could significantly limit the unanticipated threats to their businesses, such asprospect of coverage for insureds at a time of nation-state cyber attacks. increasing cybersecurity threats.For example, one recent case in a New Jersey stateFor example, one insurance association issued court resolved a coverage dispute arising out ofnew, apparently first-of-their-kind, war and cyber the 2017 NotPetya cyber attack in favor of anwar clauses in November 2021 that contain insured, finding that its property insurance policysignificant limitations in the scope of coverage for covered the $1.4 billion in damages it experienced.cyber operations that would not meet the The insurer had disputed coverage based on thethreshold of traditional understandings of warfare. US governments attribution of NotPetya to theOne such clause expressly excludes coverage for Russian military. The insurers argued that thelosses related to a cyber operation that has a relevant policys Hostile/Warlike Action Exclusionmajor detrimental impact upon essential Language applied to the losses arising from theservices in a given state. Cyber operations are attack because the malware had been attributed todefined to include cyber attacks by one state the Russian government and was linked to Russiasagainst the computer systems or information of ongoing conflict with Ukraine. The courtanother, and essential services include a range of disagreed, writing that the insurers had failed tocritical infrastructure functions from financial update the policy to account for this type of event MAYER BROWN |143'