The NotPetya malware outbreak of 2017 caused massive damage and disruption around the world. It led to two major court cases between large corporations and their insurers. Mondelez claimed $100 million from Zurich American Insurance Company, while Merck claimed $1.4 billion from Ace American Insurance co.
Both companies had an ‘all-risks’ property insurance, but both companies had their claims rejected based on a war exclusion clause. Both companies filed suit against their insurer.
The Mondelez case is ongoing, but Merck sought and was last week granted summary judgment.
The issue is one of interpretation: can the NotPetya outbreak be classified as an ‘act of war’. By many definitions it can. There is little doubt that it originated from the activity of agents of the Russian government as part of ongoing hostilities against Ukraine. But no armed soldiers were involved, there is no formal state of war between the two countries (yet), and the damage done to Merck and Mondelez is entirely separate to any condition between Russia and Ukraine.
[ Read: The Wild West of the Nascent Cyber Insurance Industry ]
When cyber insurance began, it was considered a ‘gap filler’. The insurers asked themselves if there were any gaps in the insurance they offered, and concluded that cyber risks are different to physical risks – and consequently demand their own separate policies. From the insurers’ standpoint, property insurance is for property risks and cyber insurance for cyber risks.
What they seemed to forget is that cyberattacks can cause property damage – and Mondelez and Merck claimed based on physical damage to property.
In coming to his decision in the Merck case, New Jersey Superior Court Judge Thomas J. Walsh ruled on January 13, 2022, that the plain language meaning of the words used in the war exclusion clause are paramount. He concluded that the insured could not be expected to assume that this clause would exclude physical damage caused by NotPetya; that is, the damage caused by compromise from NotPetya isn’t automatically recognized as an act of war.
“Given the plain meaning of the language in the exclusion,” he wrote, “the court unhesitatingly finds that the exclusion does not apply.” But he also added, “Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks… Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare.”
So, what now? One inevitable effect will be for all insurers to re-examine the precise policy wording and especially the war exclusion clause. The intent will be to rule out any possibility of any cyber-involved risk from being covered by a property insurance – if only to drive more customers to take up a separate and additional cyber risk insurance.
Jack Kudale, founder and CEO of Cowbell Cyber, offering cyber insurance for SMBs, suggests this is not skullduggery from the insurance companies but part of the bedding-in process for what remains the newest class of insurance. “Cyber insurance has progressed dramatically over the past four years, or so,” he told SecurityWeek. “Vital elements needed to modernize the approach and achieve full alignment between policyholders and their insurers include standardization of coverages, clarification of terms, advanced and continuous assessment of cyber risk, and transparency in the underwriting process.”
John Bambenek, principal threat hunter at Netenrich, has a slightly different view. “The growth of ransomware is pushing the financial boundaries of insurance companies, so they’ve been looking for escape hatches. ‘Act of war’ clauses are common in insurance contracts but only in cybersecurity is there any real risk of that. Organizations will have to bake in this gap into their risk mitigation plans but the answer to cybersecurity has never been ‘more insurance’ anyway.”
A second and inevitable effect of this judgment will be a further increase in premiums (although it isn’t clear whether this will be in property insurance or cyber insurance or spread between the two). Insurance companies cannot afford to take $1.4 billion out of their profit margins without some form of response.
Related: Improving Security Posture to Lower Insurance Premiums
Related: The Wild West of the Nascent Cyber Insurance Industry
Related: Plugging the Discrepancy Between Cyber Insurance Coverage and Actual Risk
Related: The Case for Cyber Insurance