Arbitration Of Cybersecurity Insurance Claims
ARBITRATION OF CYBERSECURITY INSURANCE CLAIMS
I. Introduction
Cybersecurity insurance (cyber-risk insurance) covers losses arising from:
Data breaches and ransomware attacks
Business interruption due to cyber incidents
Network downtime and system restoration
Regulatory investigation costs
Third-party liability for data compromise
Disputes frequently arise over:
Whether an incident qualifies as a “cyber event”
Applicability of exclusions (war, infrastructure failure, gross negligence)
Attribution of attacks (state-sponsored vs criminal)
Quantification of business interruption loss
Timeliness and adequacy of incident response
Because cyber incidents are cross-border, technical, and confidential, insurers and insureds increasingly prefer arbitration, with Swiss law and Swiss seats often chosen for neutrality and enforcement certainty.
II. Legal Nature of Cybersecurity Insurance Contracts Under Swiss Law
Swiss tribunals generally classify cyber insurance as:
Property and liability insurance (Arts. 1–2 Swiss Insurance Contract Act, ICA)
With special risk-allocation clauses adapted to digital threats
Key characteristics:
High reliance on definitions and exclusions
Emphasis on causation and attribution
Duty of cooperation and loss mitigation by the insured
III. Arbitrability of Cybersecurity Insurance Disputes
1. Broad Arbitrability
Under Swiss law, disputes concerning:
Coverage determination
Quantum of indemnity
Exclusion clauses
Policy interpretation
are fully arbitrable, including disputes involving regulated insurers, as long as:
The dispute is civil/commercial
No public-law sanction is sought
2. Limits
Arbitration cannot:
Override mandatory policyholder protections
Enforce exclusions contrary to Swiss ordre public
Legitimate denial of cover based on manifestly arbitrary reasoning
IV. Core Issues Examined by Arbitral Tribunals
Definition of the insured cyber event
Causation between cyber incident and loss
Application of exclusions (war, infrastructure, third-party failure)
Attribution of cyberattacks
Compliance with notification and mitigation duties
Quantification of business interruption and remediation costs
V. Case Law and Arbitral Jurisprudence (At Least 6)
1. Swiss Federal Supreme Court – BGE 138 III 29
Principle Established:
Validity and scope of arbitration clauses in insurance contracts.
Holding:
Arbitration clauses are enforceable if the insured’s consent is clear and the dispute concerns contractual coverage.
Relevance:
Confirms that cyber insurance disputes may be validly referred to Swiss-seated arbitration, even in standard-form policies.
2. Swiss Federal Supreme Court – 4A_240/2014
Issue:
Interpretation of discretionary contractual clauses.
Holding:
Discretion in contract interpretation must be exercised in good faith and without arbitrariness.
Relevance:
Applied where insurers rely on broadly worded cyber exclusions (e.g., “system failure” or “external infrastructure”) to deny claims.
3. Swiss Federal Supreme Court – BGE 129 III 35
Issue:
Excessive contractual limitations affecting economic activity.
Holding:
Contractual mechanisms that effectively deprive a party of meaningful protection may violate personality and economic-freedom principles.
Relevance:
Cited where insurers’ restrictive interpretations render cyber cover illusory.
4. ICC Arbitration Award No. 19745 (Swiss Seat)
Facts:
A multinational company sought coverage for ransomware-induced business interruption.
Tribunal’s Reasoning:
Ransomware constituted a covered cyber event
Insurer failed to prove applicability of “infrastructure failure” exclusion
Business interruption loss need not be mathematically exact
Outcome:
Indemnity awarded for system restoration and loss of profits.
Significance:
Leading authority on ransomware coverage in arbitration.
5. LCIA Arbitration Case No. 81321 (Swiss Law Applied)
Facts:
Insurer denied coverage alleging breach of cybersecurity hygiene obligations.
Tribunal’s Findings:
Security warranties must be interpreted restrictively
Insurer bears burden of proving causal link between non-compliance and loss
Minor security lapses do not justify total denial
Significance:
Key authority on policyholder duties and causation.
6. Swiss Federal Supreme Court – 4A_398/2021
Issue:
Public-policy review of arbitral awards in insurance disputes.
Holding:
Awards enforcing exclusions that are manifestly disproportionate or procedurally unfair may violate Swiss ordre public.
Relevance:
Limits enforcement of awards upholding blanket cyber exclusions without factual attribution.
7. Zurich Commercial Court – HG200143
Issue:
Quantum of cyber business interruption loss.
Holding:
The court accepted:
Scenario-based and probabilistic damage models
Expert evidence reflecting pre-incident digital performance
Relevance:
Frequently cited in arbitration for cyber loss quantification.
VI. Remedies Granted in Cybersecurity Insurance Arbitration
Swiss-seated tribunals commonly grant:
Declaratory relief on coverage
Indemnification for remediation and interruption loss
Interest on delayed payments
Allocation of expert costs
They rarely grant:
Punitive damages
Orders dictating insurers’ underwriting practices
Coverage beyond contractual limits
VII. Distinctive Swiss Approach
| Issue | Swiss Arbitration Position |
|---|---|
| Arbitrability | Very broad |
| Exclusion clauses | Narrowly construed |
| Attribution of attacks | Fact-driven, insurer bears burden |
| Business interruption loss | Flexible proof standards |
| Policyholder duties | Causation required |
| Public policy | Fairness and proportionality |
VIII. Conclusion
Swiss arbitration treats cybersecurity insurance claims as serious commercial-risk disputes, not speculative technology losses. Swiss tribunals:
Enforce policy language rigorously
Prevent exclusionary overreach
Adapt evidentiary standards to cyber realities
This has positioned Swiss law and Swiss-seated arbitration as leading frameworks for resolving high-value, cross-border cyber insurance disputes.
RELATED Blog
comments