Earlier this month, pharma-giant Merck won a $1.4 billion lawsuit over insurance companies' duty to pay for the damages stemming from the 2017 NotPetya cyberattack. Though insurance has shifted a lot in the cyber realm since 2017, the case is still a learning opportunity for enterprises.
NotPetya was a catastrophe, causing untold billions of dollars of damage worldwide through wiper malware designed to look like ransomware. The consensus among Western nations is that NotPetya was a Russian attack on Ukraine that globally ran amuck, causing companies like Merck to suffer massive losses. Merck's insurance, like the vast majority of insurance, had a clause excluding acts of war. But a New Jersey judge ruled that the clause excluding war was intended for armed conflict, not cyber conflict.
If Merck eventually winning seems like good news for enterprises in similar policy situations, it is — but with a caveat. The vagaries of the policy meant it took five years and litigation to recover a substantial amount of losses, something attorney Marcus Christian, a partner at Mayer Brown's cyber and data privacy practice, said most enterprises would undoubtedly like to avoid.
"This kind of problem can manifest itself somewhere else. The act of war exclusion is fairly ubiquitous. How it is worded may vary and the bottom line is a company doesn't have clarity that they need, given how expensive premiums are, they need to make sure that they get that clarity before paying the premium for insurance," Christian said.
"It comes down to basic blocking and tackling. Insurance policies are contracts, and with contracts, you need to know what your language happens to be," he said.
There has been dramatic change in how insurance approaches cybersecurity since 2017. Insurance companies have had to grapple with increasing payouts over the ransomware era, which have led to narrowing coverages and rising rates — and policies have become more specific.
In November, Lloyd's of London distributed four new model cyberwar clauses to its syndicate that could be used in cyber policies, covering a range of contingencies and severities. At the time, experts assumed it was a response to the Merck case. And, while Lloyd's is a dominant player in the cyber insurance market, it is not alone in a rush to clarify cyberwar.
Merck's policy in 2017, notably, was an all-risk policy not tailored to cyber needs. In recent years, companies have increasingly turned to dedicated policies for cyber risk.
"The Merck case is not about cyber insurance," said cyber-insurer Resilience through a spokesman. "Disputes like the case in Merck highlight the value of true specialty cyber insurance like that provided by Resilience, where the product is designed exclusively to address cyber risk."
The Merck case, paired with spiking ransomware payouts and generally increased cyber risk, has pushed insurers to make policies less nebulous while raising premiums and restricting payouts.
That could force enterprises to make some unique decisions, said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, via email.
"A potential byproduct from more specificity in insurance policies and a likely increase in cyber insurance premiums may be a reconsideration of whether cyber insurance has a positive impact to enterprise risk reduction or whether the funds spent on cyber insurance would be better invested elsewhere to support cybersecurity," said Schmitt.
"[But] it may be the motivation that many enterprises need to put more funding and emphasis on proactive cyber security controls and to bolster their reactive incident response capabilities in the event of an intrusion event," Schmitt added.