The court ruled that the insurers could not rely on the war exemption
A US state appeals court last week struck down a group of insurers that relied on a lawsuit to avoid paying for a portion of a $1.4 billion settlement. insurance claim from NotPetya cyberattack victim Merck.
The appeals decision is expected to add more fuel to a flurry of tightening wording and exclusions, and one cyber insurance expert said a NotPetya equivalent would hit now then more payouts would. likely to be triggered.
In June 2017, the malware NotPetya infiltrated the systems of organizations around the world after infecting Ukrainian accounting software. The White House and others will continue to condemn Russia’s actions against Ukraine over the cyber onslaught, which has led to billions in collateral damage, with swathes of businesses affected in a reported 65 countries. . Among the biggest victims of NotPetya is pharmaceutical giant Merck.
Now, Merck’s insurers have been told by a New Jersey appeals court that they may actually be on the hook to pay for a $1.4 billion cyberattack claim, despite a “hostile/belligerent action” which are excluded from Merck’s all-property risk policies.
A path for escalation within the US court system remains, which means the outcome may not be a foregone conclusion. Eight insurers were directly affected by the decision, with several others included in the lawsuit already settled; 26 policies were originally issued. However, the industry is watching this appeal outcome closely following what was seen as an anticlimactic ending to food and beverage giant Mondelez and insurer Zurich’s $100 million NotPetya war exclusion case , which was settled out of court in November.
The decision to appeal the insurance of Merck NotPetya to the Court “gets the ball rolling”.
The NJ appellate division states that “participation in damages caused by enemy or warlike action by a government or sovereign power in time of war or peace requires participation in military action.
“The exclusion does not state that the policy precludes coverage for damages arising from a government action motivated by bad faith.”
Additionally, it states that “the plain language of the exemption does not include a cyberattack on a non-military company that provides accounting software for commercial purposes to non-military consumers, even if the attack is initiated by a private actor or by a ‘government or sovereign power’.”
Before the court’s rulings, however, insurers “often” covered NotPetya claims from companies that faced smaller losses than Merck. That’s according to Reed Smith partner Nick Insua, part of a team that provided an Amici brief in the case for United Policyholders.
“The language at issue in Merck has been used by insurers in one form or another since the 1950s, and the appellate division’s decision is consistent with the body of case law addressing similar exclusions,” he said. Insurance Business in the days after the decision of the appellate division.
While the NJ affirmation “doesn’t establish an underwriting guideline or an industry coverage position,” it should “start the ball rolling” on more certainty for policyholders, Peter Hedberg, Corvus VP of cyber underwriting, said in a comment shared by Insurance Business.
Last August, Lloyd looked to tighten the language around state-sponsored or nation-state attacks in standalone cyber policies, moving in 2020 to eliminate silent cyber from more broad all-risk policies (such as the one issued in NJ) through mandatory cyber exclusions or affirmative cover. While some brokers have spoken out against the latest change, other cyber insurance stakeholders, such as CFC’s head of cyber strategy James Burns, say the new wording intended only to “exclude attacks so catastrophic in nature that they destroy a nation’s ability to. function.”
In a blog posted in April, defending Lloyd’s changes, Burns said that the NotPetya attack was not an attack on the US or an attack with a large harmful effect on the country, “American companies, such as Merck and Mondelez, must have a clear, unambiguous cover.”
Instead, Burns said, the lay of the land means that “the wide traditional war exclusions in both standalone and package cyber policies mean that customers are at the mercy of whatever their insurer decides.”
Outside of the war issue, policies continue to be refined, with some cyber underwriters drilling down further in a bid to combat systemic risk fears. For example, some may now see less of a cover-up of a widespread operating system infection where the “running bones” of a computer system are lost. There is also greater tension over insurers’ cybersecurity measures, and debates continue over whether federal cyber backstops or other means of improving companies’ cybersecurity are needed.
A NotPetya type incident – many policies will be paid out now
Despite the changes, under the recent ruling, many existing policies will likely cover incidents like NotPetya even though insurers claim they weren’t built with it in mind, and the exclusions have been made. It’s a mixed landscape, and some carriers — particularly U.S. domestic insurers — have been slower to “jump on board” with underwriting changes, according to Steve Robinson, leader of cyber practice of RPS.
“Cyber policies are not intended, nor are they designed to cover broad physical warfare, or whether cyber ops is a tactical element of such broad physical warfare,” Robinson said. “The new separations are designed to give more clarity to that purpose. However, many carriers cite NotPetya as a type of one-off incident that is not part of a physical war aimed at Merck, as a type of incident that is still covered, despite the new exclusions.
“There are, of course, different methods, so it doesn’t apply to all carriers.”
Those carriers that currently exclude “nation-state identification” would likely argue that any future NotPetya event could, according to Robinson.
“Finally, as cyber insurance matures, [insurers are] looks to provide good cover for … targeted, an attack that can really damage an organization, while at the same time [the insurers] Also want to make it clear that there are no cyber insurance policies or any other types of policies that are priced appropriately to account for such a large scale event where there is not enough capital to support the business should something happen. ,” said Robinson.
Cybersecurity vulnerabilities – the “perfect storm” that could lead to a NotPetya repeat
It doesn’t take long for an organization to feel the force of a cyber incident. On that fateful day in June of 2017, 10,000 machines in Merck’s global network were infected by NotPetya within 90 seconds. Within five minutes, it doubled to 20,000. In the end, more than 40,000 machines were taken down.
More than half a decade later, vulnerabilities in many business systems persist, even as insurers push for tighter security. RPS continues to witness claims from large organizations, some of which do not have the segmented backups needed to restore systems, resulting in some seeing an expensive charge. of ransom as “only option”. The frequency of Ransomware, on the other hand, has returned to high in the last two months, although the propensity of organizations to pay attackers has fallen.
All that may be sitting between the world and a NotPetya rerun is “the perfect storm” of a software provider that doesn’t have the proper security controls in place unwittingly transmitting malware to equally uninformed customers, Robinson said.
The best offense can be a good defense, but even with the development of cyber fortresses, so has the development of malignant technologies. Just as cyber-hygiene-conscious insurers plug security gaps, carriers may be left to fend for themselves with policy language weaknesses and errors in the future. In the interim, whatever distortions the courts may make and whatever bad actors may throw in the insured’s and insurers’ way, it will fall to the agents and brokers to explain what the patchwork quilt is. in cyber policies means for clients, to continue above the exclusion progress, and to promote and fulfill the insurance needs of their clients as much as they can.
Keep up with the latest news and events
Join our mailing list, it’s free!