March 28, 2024 By Mike Elgan 3 min read

A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?

In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.

NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit that harvested user passwords from Windows machines.

The malware was designed to infect without user action, move laterally inside networks and spread very fast, sometimes taking down networks in less than a minute. Once executed, it would overwrite the master boot record, preventing it from booting.

A ransom note demanded payment for decryption. But there was no mechanism or plan for doing so. Its purpose was to convince victims they were hit by ransomware. In fact, NotPetya existed only to destroy data without a path to recovery.

Merck v. Ace American

Merck estimated that the attack cost $1.4 billion. Those costs included a temporary loss of production capacity, as well as the cost of equipment and new IT hiring necessary to recover.

The company had a $1.75 billion “all-risk” insurance policy with Ace American. But the company rejected their claim, saying that because NotPetya started in the Russia/Ukraine war, the “Acts of War” exclusion clause meant they didn’t have to pay.

Merck sued Ace American in November 2019. Their case centered mainly on the argument that the attack was not the result of an official state action and that Merck was a mere bystander outside the theater of conflict. New Jersey Superior Court judge Thomas J. Walsh found for Merck.

Ace American appealed, and the state appellate court in the case found that the war exclusion clause provision in insurance policies — which excludes coverage for losses caused by hostile or warlike actions by governments — did not apply in the case.

The two parties reached a confidential settlement with insurers on January 5, 2024.

Other major companies went through similar legal scenarios and also settled, albeit likely for smaller amounts.

The battle over war exclusions

The outcome of the case was neither entirely predictable nor necessarily intuitive. NotPetya itself is widely believed to have begun in a war — attributed to the Russian government (specifically the Sandworm hacking group within Russian military intelligence) and initiated in Ukraine for the assumed purpose of furthering Russia’s aims in that conflict.

Though probably an act of cyber war, the attack then spread outside Ukraine to machines globally, causing what might be described as collateral damage.

Cyber insurance policies typically contain war exclusion clauses. For example, The Lloyd’s Market Association (LMA) published guidance for cyber war exclusion clauses. They recommend that exclusion won’t apply to cyber operations conducted by nation-states outside an actual hot war under certain circumstances. For example, if the cyberattack took place outside the theater of conflict or if the business wasn’t the intended target.

The court’s ruling was consistent with Lloyd’s guidance, finding that the war exclusion clause did not apply to the circumstances of the NotPetya attack.

Still, the ruling was significant. Some of the most sophisticated and damaging cyberattacks are the result of actions by nation-states to attack rivals or enemies. If insurance companies can’t use standard war exclusion clauses for these damaging, state-sponsored cyberattacks, they’ll need to adjust policies, raise prices or both going forward.

The latest change in a fast-changing industry

The cyber insurance landscape has been in flux for at least a decade. As a result of increasingly costly cyberattacks, insurance customers have been hit with rising premiums, stricter underwriting requirements and narrowed coverage.

These changes have come about because of a wide variety of trends in the cyberattack landscape, including the ransomware trends of a few years ago.

Global cyber insurance premiums have risen from under $5 billion in 2018 to an estimated $18 billion this year, according to the Swiss Re Institute.

Companies have been required to get their cybersecurity houses in order under increasingly strict guidelines just to get coverage at all. Insurance companies are taking longer to approve who they cover and are becoming more selective.

Coverage is narrowing in part through a rising number of exclusions that void coverage under certain circumstances (and the “war exclusion” was a big one).

The Merck settlement has focused industry attention on the challenges of defining war exclusions in cyber insurance policies. Insurance companies are likely to further tighten language, especially for war exclusion — a trend that had already begun in 2022.

And it’s shifted attention among buyers of insurance as well. Companies will need to take a hard look at exclusions, waiting periods, policy limits and other factors when considering an insurance provider. Another important element is to estimate whether a company might be victimized or targeted as the result of geopolitical events and consider how exclusions may leave them without payouts should serious state-sponsored cyberattacks occur.

And above all, focus on actual cybersecurity — especially automation tools and AI.

While Merck and related lawsuits and settlements are likely to make a material contribution to changes in the costs, policies, exclusions and limits of cybersecurity insurance, the greater contributing factor is the increasing sophistication and costliness of cyberattacks generally.

More from Risk Management

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today