March 28, 2024 By Mike Elgan 3 min read

A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?

In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.

NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit that harvested user passwords from Windows machines.

The malware was designed to infect without user action, move laterally inside networks and spread very fast, sometimes taking down networks in less than a minute. Once executed, it would overwrite the master boot record, preventing it from booting.

A ransom note demanded payment for decryption. But there was no mechanism or plan for doing so. Its purpose was to convince victims they were hit by ransomware. In fact, NotPetya existed only to destroy data without a path to recovery.

Merck v. Ace American

Merck estimated that the attack cost $1.4 billion. Those costs included a temporary loss of production capacity, as well as the cost of equipment and new IT hiring necessary to recover.

The company had a $1.75 billion “all-risk” insurance policy with Ace American. But the company rejected their claim, saying that because NotPetya started in the Russia/Ukraine war, the “Acts of War” exclusion clause meant they didn’t have to pay.

Merck sued Ace American in November 2019. Their case centered mainly on the argument that the attack was not the result of an official state action and that Merck was a mere bystander outside the theater of conflict. New Jersey Superior Court judge Thomas J. Walsh found for Merck.

Ace American appealed, and the state appellate court in the case found that the war exclusion clause provision in insurance policies — which excludes coverage for losses caused by hostile or warlike actions by governments — did not apply in the case.

The two parties reached a confidential settlement with insurers on January 5, 2024.

Other major companies went through similar legal scenarios and also settled, albeit likely for smaller amounts.

The battle over war exclusions

The outcome of the case was neither entirely predictable nor necessarily intuitive. NotPetya itself is widely believed to have begun in a war — attributed to the Russian government (specifically the Sandworm hacking group within Russian military intelligence) and initiated in Ukraine for the assumed purpose of furthering Russia’s aims in that conflict.

Though probably an act of cyber war, the attack then spread outside Ukraine to machines globally, causing what might be described as collateral damage.

Cyber insurance policies typically contain war exclusion clauses. For example, The Lloyd’s Market Association (LMA) published guidance for cyber war exclusion clauses. They recommend that exclusion won’t apply to cyber operations conducted by nation-states outside an actual hot war under certain circumstances. For example, if the cyberattack took place outside the theater of conflict or if the business wasn’t the intended target.

The court’s ruling was consistent with Lloyd’s guidance, finding that the war exclusion clause did not apply to the circumstances of the NotPetya attack.

Still, the ruling was significant. Some of the most sophisticated and damaging cyberattacks are the result of actions by nation-states to attack rivals or enemies. If insurance companies can’t use standard war exclusion clauses for these damaging, state-sponsored cyberattacks, they’ll need to adjust policies, raise prices or both going forward.

The latest change in a fast-changing industry

The cyber insurance landscape has been in flux for at least a decade. As a result of increasingly costly cyberattacks, insurance customers have been hit with rising premiums, stricter underwriting requirements and narrowed coverage.

These changes have come about because of a wide variety of trends in the cyberattack landscape, including the ransomware trends of a few years ago.

Global cyber insurance premiums have risen from under $5 billion in 2018 to an estimated $18 billion this year, according to the Swiss Re Institute.

Companies have been required to get their cybersecurity houses in order under increasingly strict guidelines just to get coverage at all. Insurance companies are taking longer to approve who they cover and are becoming more selective.

Coverage is narrowing in part through a rising number of exclusions that void coverage under certain circumstances (and the “war exclusion” was a big one).

The Merck settlement has focused industry attention on the challenges of defining war exclusions in cyber insurance policies. Insurance companies are likely to further tighten language, especially for war exclusion — a trend that had already begun in 2022.

And it’s shifted attention among buyers of insurance as well. Companies will need to take a hard look at exclusions, waiting periods, policy limits and other factors when considering an insurance provider. Another important element is to estimate whether a company might be victimized or targeted as the result of geopolitical events and consider how exclusions may leave them without payouts should serious state-sponsored cyberattacks occur.

And above all, focus on actual cybersecurity — especially automation tools and AI.

While Merck and related lawsuits and settlements are likely to make a material contribution to changes in the costs, policies, exclusions and limits of cybersecurity insurance, the greater contributing factor is the increasing sophistication and costliness of cyberattacks generally.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today