CISOs hoping to have more clarity regarding what incidents their cybersecurity insurance policies will likely cover got the answers they hoped for earlier this month. On May 1, a New Jersey appeals court agreed with an earlier court’s decision that insurers could not deny coverage under a so-called “war exclusion” for a cybersecurity incident Merck & Co. claimed caused $1.4 billion in losses.
The ruling was widely extolled as a victory for cybersecurity insurance policyholders.
As a result of the court’s decision, Merck’s insurers will likely have to pay up on the $1.4 billion claim resulting from the 2017 NotPetya ransomware attack. The appeal judges agreed that the widely held definition of warlike acts does not apply to cyberattacks against firms not engaged in hostilities. The panel of judges concluded that the ransomware attack could only be excluded if the meaning of “hostile” was stretched to its “outer limit” to include noncombatant firms operating wholly outside the context of “any armed conflict or military objective."
This Merck case wasn’t the only case to find itself blurred by the fog of war. In June 2018, Zurich American Insurance Company informed food and beverage company Mondelez International that because of an “act of war” exclusion, it denied its $100 million claim resulting from NotPetya damage. By October 2018, Mondelez had filed a lawsuit against Zurich to recover its claim. That lawsuit was settled after the initial U.S. court tossed the insurers’ claim that they shouldn’t have to pay for the ransomware attack.
The battle over whether insurers were on the hook for the claim goes back to a 2017 global cyberattack known as NotPetya. The NotPetya ransomware attackers primarily targeted organizations within Ukraine and were believed to be politically motivated against that nation. The attack used a different variant of the Petya malware and was not-so-creatively named "NotPetya." NotPetya propagates via the EternalBlue exploit and infects the master boot record of Microsoft Windows systems. The malware encrypts the hard drive's file system table, preventing the system from booting and demanding a payment in Bitcoin to regain access.
The attack was widely blamed on the Russian government's Sandworm hacking group. On Feb. 15, 2018, the White House press secretary issued a statement that attributed the NotPetya attack to the Russian military and deemed it the most destructive and costly cyber-attack in history. “The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences,” the statement read.
With most ransomware attacks being state-affiliated, insurers would have been able to deny the bulk of claims. According to the U.S. Department of Justice’s Financial Crimes Enforcement Network analysis from July 2021 through December 2021, Russian threat actors were behind 75% of ransomware incidents. “Attribution is always tricky,” says Scott Crawford, information security research head at S&P Global Market Intelligence. “But if you are removing coverage from state-affiliated threat actors, you are removing a considerable amount of the risk mitigation enterprises hoped their policies would handle,” he says.
Crawford adds that while the judgment in the Merck case and the settlement in the Mondelez case both clarify what will be covered by cyber insurance policies, insurers were already adapting their coverage regarding incidents caused by state-sponsored threat actors. While companies can cover nation-state-affiliated threat actors, they will pay a higher premium.
"The wording of these policies has changed considerably since 2017,” says Crawford. According to Crawford, some insurers (such as Lloyds of London) have already decided to cover cyber-attacks caused by nation-state groups. However, these policies rate and cost the risks of these incidents separately from their standard cybersecurity insurance policy.
What this means for CISOs and others researching cybersecurity insurance is that they to be sure they understand what types of incidents and threat actors are covered in their standard policies and if those policies cover nation-state actors. “You must be diligent and be certain what your policy covers,” Crawford says.
Insurers had to do something. According to research compiled by S&P Global Market Intelligence, over the five years into 2021, insurers nearly doubled their cybersecurity insurance loss ratios, which is the ratio of claims paid to the premiums collected.
Many industry observers view the court’s definition of acts of war regarding cybersecurity incidents—and policies' changing definitions and costs—as part of a welcome maturity of cybersecurity insurance.
“I think it [Merck case] may help punctuate the evolution of cyber insurance,” says Chris Blask, chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC). “Risk transfer has to be predictable, and these terms and the policy language necessary to manage them must continue to evolve to reflect a reliable analog of the real world,” says Blask.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.