A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?
In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.
NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit that harvested user passwords from Windows machines.
The malware was designed to infect without user action, move laterally inside networks and spread very fast, sometimes taking down networks in less than a minute. Once executed, it would overwrite the master boot record, preventing it from booting.
A ransom note demanded payment for decryption. But there was no mechanism or plan for doing so. Its purpose was to convince victims they were hit by ransomware. In fact, NotPetya existed only to destroy data without a path to recovery.
Merck v. Ace American
Merck estimated that the attack cost $1.4 billion. Those costs included a temporary loss of production capacity, as well as the cost of equipment and new IT hiring necessary to recover.
The company had a $1.75 billion “all-risk” insurance policy with Ace American. But the company rejected their claim, saying that because NotPetya started in the Russia/Ukraine war, the “Acts of War” exclusion clause meant they didn’t have to pay.
Merck sued Ace American in November 2019. Their case centered mainly on the argument that the attack was not the result of an official state action and that Merck was a mere bystander outside the theater of conflict. New Jersey Superior Court judge Thomas J. Walsh found for Merck.
Ace American appealed, and the state appellate court in the case found that the war exclusion clause provision in insurance policies — which excludes coverage for losses caused by hostile or warlike actions by governments — did not apply in the case.
The two parties reached a confidential settlement with insurers on January 5, 2024.
Other major companies went through similar legal scenarios and also settled, albeit likely for smaller amounts.
The battle over war exclusions
The outcome of the case was neither entirely predictable nor necessarily intuitive. NotPetya itself is widely believed to have begun in a war — attributed to the Russian government (specifically the Sandworm hacking group within Russian military intelligence) and initiated in Ukraine for the assumed purpose of furthering Russia’s aims in that conflict.
Though probably an act of cyber war, the attack then spread outside Ukraine to machines globally, causing what might be described as collateral damage.
Cyber insurance policies typically contain war exclusion clauses. For example, The Lloyd’s Market Association (LMA) published guidance for cyber war exclusion clauses. They recommend that exclusion won’t apply to cyber operations conducted by nation-states outside an actual hot war under certain circumstances. For example, if the cyberattack took place outside the theater of conflict or if the business wasn’t the intended target.
The court’s ruling was consistent with Lloyd’s guidance, finding that the war exclusion clause did not apply to the circumstances of the NotPetya attack.
Still, the ruling was significant. Some of the most sophisticated and damaging cyberattacks are the result of actions by nation-states to attack rivals or enemies. If insurance companies can’t use standard war exclusion clauses for these damaging, state-sponsored cyberattacks, they’ll need to adjust policies, raise prices or both going forward.
The latest change in a fast-changing industry
The cyber insurance landscape has been in flux for at least a decade. As a result of increasingly costly cyberattacks, insurance customers have been hit with rising premiums, stricter underwriting requirements and narrowed coverage.
These changes have come about because of a wide variety of trends in the cyberattack landscape, including the ransomware trends of a few years ago.
Global cyber insurance premiums have risen from under $5 billion in 2018 to an estimated $18 billion this year, according to the Swiss Re Institute.
Companies have been required to get their cybersecurity houses in order under increasingly strict guidelines just to get coverage at all. Insurance companies are taking longer to approve who they cover and are becoming more selective.
Coverage is narrowing in part through a rising number of exclusions that void coverage under certain circumstances (and the “war exclusion” was a big one).
The Merck settlement has focused industry attention on the challenges of defining war exclusions in cyber insurance policies. Insurance companies are likely to further tighten language, especially for war exclusion — a trend that had already begun in 2022.
And it’s shifted attention among buyers of insurance as well. Companies will need to take a hard look at exclusions, waiting periods, policy limits and other factors when considering an insurance provider. Another important element is to estimate whether a company might be victimized or targeted as the result of geopolitical events and consider how exclusions may leave them without payouts should serious state-sponsored cyberattacks occur.
And above all, focus on actual cybersecurity — especially automation tools and AI.
While Merck and related lawsuits and settlements are likely to make a material contribution to changes in the costs, policies, exclusions and limits of cybersecurity insurance, the greater contributing factor is the increasing sophistication and costliness of cyberattacks generally.