Merck's $1.4B Cyber Claim - NotPetya Specter
Insurers Cannot Use Conflict Exclusion, Court Rules
Last week, a US state appeals court rejected a group of insurers' use of a war exclusion to avoid paying for Merck's $1.4 billion insurance claim following the NotPetya cyberattack. It was a setback for the insurers.
The ruling appeal could lead to stricter wording and exclusions. A cyber insurance expert says a NotPetya-like attack could spark more payouts. This might cause more insurance companies to tighten up their policies.
In 2017, a bad software called NotPetya went into the computers of many groups everywhere. It started by infecting Ukraine's accounting software. The White House and others were angry with Russia for attacking Ukraine with the bad software. It caused a lot of damage, and many businesses were hurt in 65 countries. Merck, a big group that makes medicines, was one of the groups that got hurt the most.
The court said that Merck's insurers might have to pay for the $1.4 billion cyberattack claim. This is because the exclusion in Merck's property policies might not apply.
There is a chance that the US court system may change the ruling. Eight insurance companies are affected by the ruling, and others have already settled. The industry has been watching closely due to previous similar cases settling without a conclusion. The case is related to a $100 million notPetya war exclusion case involving Mondelez and Zurich.
The court ruled on Merck's insurance appeal for the NotPetya attack. This will start the process.
The NJ court said that damages from government or sovereign power in war or peace need military action.
The policy did not say they won't cover damages from government actions due to bad intentions.
The exclusion in question didn't cover a cyberattack on a non-military company. This company provided accounting software for commercial use by non-military customers. The exclusion didn't matter whether the attack came from a private person or a government. The statement said this in a clear way.
Before the court decisions, insurance companies often covered NotPetya claims for smaller losses than Merck. Reed Smith partner Nick Insua said this, and he was part of a team who supported United Policyholders in the case.
Insurers have been using the language questioned in Merck since the 1950s. The court's decision aligns with other cases related to similar exclusions. An expert shared this with Insurance Business after the appellate division's ruling.
The affirmation in NJ doesn't set a rule or industry stance. It's a start. Corvus' VP said this. The affirmation should help policyholders feel more sure. Insurance Business got the quote.
In August, Lloyd's made cyber policies stricter by changing the wording around state-backed or nation state attacks. In 2020, they got rid of "silent cyber" in other policies by adding mandatory cyber exclusions or affirmative cover. Some brokers don't like the new change, but others, like CFC's James Burns, say it's meant to protect against catastrophic attacks that could destroy a nation's ability to function.
Burns defended Lloyd's changes in an April blog post. He reasoned that the NotPetya attack did not harm the US significantly. Therefore, American firms like Merck and Mondelez ought to have received insurance coverage without difficulty.
Burns said the land's structure results in customers being at the insurer's mercy. The exclusions in traditional cyber policies are a problem. Customers can't choose what they want in their policies. Insurers make the final decision.
Apart from the war, policies are being improved. Some cyber insurance providers are taking more steps to tackle the risk of system failure. They may not cover a widespread operating system infection. There's also more focus on ensuring insureds have good cybersecurity measures. There is discussion about whether companies need federal support to improve their cybersecurity.
NotPetya-like Event: Policies Cover Payouts Now
The recent ruling has brought changes to policies. Even if insurers claim policies were not designed for incidents like NotPetya, some may still provide coverage. But some policies have stricter language. Not all carriers have made underwriting changes, especially domestic US insurers, says Steve Robinson of RPS.
Robinson said cyber policies don't cover big physical wars or when cyber ops are part of those wars. The new exclusions make this clearer. But some carriers think NotPetya could still be covered, even with the new rules. NotPetya wasn't part of a physical war aimed at Merck.
Different companies have different ways of approaching things, so this may not work for all of them.
Robinson says carriers who exclude "only nation-state attribution" can excuse future NotPetya events.
Cyber insurance is growing up. Insurers are now focusing on giving good cover for specific attacks that can really harm a company. However, they also want to make it clear that insurance policies were never priced for a huge event where there wouldn't be enough money to help the business. Robinson said this.
NotPetya Repeat: Perfect Storm Of Cyber Vulnerabilities
A cyber incident can hit fast. Merck had 10,000 machines infected with NotPetya in 90 seconds. It increased to 20,000 in 5 minutes. Things got worse - over 40,000 machines crashed.
Business systems still have security vulnerabilities after many years, even though insurers are demanding tighter security. RPS has observed that some large organizations do not have proper backups to restore their systems and have had to pay a lot of money to get them back. Ransomware attacks have been happening more often recently, but businesses are less likely to pay the attackers.
Robinson said that "the perfect storm" could prevent another NotPetya. If a software provider accidentally passes on malware without having proper security controls, customers could unknowingly receive it.
It is important to have good defense against cyber attacks, but malicious technologies are always evolving. Even though security measures are improving, there will still be errors in policy language that need to be fixed. Agents and brokers must explain what cyber policies mean for clients and keep up with updates to exclusions. They must advocate for their clients' insurance needs to the best of their ability despite challenges from bad actors and the courts.