War or Cost of Doing Business? Cyber Insurers Hashing Out Exclusions

Following a settlement over Merck's $700 million claims over NotPetya damages, questions remain about what constitutes an act of war for cyber-insurance policies.

5 Min Read
The words "cyber insurance" on a digital background
Source: Shutterstock

Drugmaker Merck's long legal battle with its insurance companies over the damages caused to its business by the NotPetya wiper worm ended last week when the company settled with a bevy of insurance companies that had refused to pay $699 million of the $1.4 billion in claimed damages, citing hostile/warlike act exclusion clauses. 

Merck has remained mum on the details of the settlement — and did not return a request for comment — but the reported settlement will likely have less impact than the lawsuit's long road through the courts, which included two rulings for the drugmaker, cyber-insurance industry experts say. Already, cyber-insurance firms have clarified the act-of-war clauses in their policies, a task mandated by large insurance firms such as Lloyd's.

The sticking point is whether damaging cyberattacks by state-sponsored actors constitute an exclusion in a particular policy, says Shawn Ram, head of insurance for cyber-insurance firm Coalition.

"There's a lot of variation in language and attribution can be challenging," he says. "There's attacks that happen frequently from entities around the world that are connected in some way to government, but those attacks are rarely attributed to ... an official act of war."

With geopolitical conflicts expanding around the globe, and cyber operations a common tactic in many nations' arsenals, more companies are looking to mitigate risks from damaging cyberattacks, no matter whether the attacker is a nation's military or an independent cybercriminal group. The resolution of Merck lawsuit sounds a note of hope for businesses and large industry organizations — from the National Association of Manufacturers to the Restaurant Law Foundation — which argued in support of Merck's lawsuit.

Merck's lawsuit stemmed from the NotPetya attack that hit companies and organizations worldwide in June 2017, wiping hard drives, disrupting operations, and causing significant business losses. For Merck, the attack was devastating, shutting down research, sales and manufacturing — in some cases, for weeks — with damages reaching a claimed $1.4 billion. Some insurers, however, refused to pay for the damages, claiming that the widespread attack fell under the act-of-war clauses common in insurance policies, and in particular, Merck's property-insurance policy, under which it made the claim.

Even after a widespread effort by the insurance industry to clarify those exclusions, companies should take care and ensure that they are getting the coverage that they need, says Alla Valente, a senior analyst with Forrester Research.

"It's really important that all organizations read the fine print — those terms, those conditions — but also what the exclusions look like, because the policy might pay for certain types of cyberattacks, but not others," she says. "Or, they might pay for cyberattacks, as long as you're maintaining a certain level of security best practices."

Two Losses, Avoiding a Third

In the latest milestone in the saga, the insurance companies settled with Merck right before the drug company and its insurers were due to argue their cases before the New Jersey Supreme Court. Merck had already won favorable rulings during an initial trial, with the court "unhesitatingly" ruling against the insurance companies and their attempted use of the hostile/warlike action exclusion. The appellate court later affirmed that decision, according to its May 2023 ruling.

"Coverage could only be excluded here if we stretched the meaning of 'hostile' to its outer limit in an attempt to apply it to a cyberattack on a non-combatant firm that provided accounting software updates to various non-combatant customers, all wholly outside the context of any armed conflict or military objective," the ruling stated. "But that approach would conflict with our basic construction principles requiring a court to narrowly construe an insurance policy exclusion."

While insurance companies likely avoided a third loss by settling, the insurance industry had already embarked on clarifying exclusions to broad outbreaks of cyberattacks. In August 2022, insurance giant Lloyd's issued requirements for its underwriters for state-backed cyberattack exclusions to minimize catastrophic losses to the cyber-insurance industry.

"[W]hen writing cyber-attack risks, underwriters need to take account of the possibility that state backed attacks may occur outside of a war involving physical force," Lloyd's stated in its 2022 Market Bulletin on state-backed cyberattack risks. "The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers."

Clarify Conflict Clauses, Shrink the Attack Surface

Following the settlement, it's even more important that companies are clear as to what damages they want to be covered by their cyber insurance. In particular, they should specifically determine when any cyberattack could be classified as a "hostile/warlike act" that would be excluded from coverage, says Theresa Le, chief claims officer with Cowbell, an insurance company focused on using data and machine learning to adapt to the market.

"Part of this discussion should include whether the war exclusion wording is acceptable to the client. As a leading cyber insurance provider, we understand the need for the market to manage its exposure to systemic and catastrophic risk," she says. "Our team believes that clarity of intent is vital to the long-term sustainability and adoption of cyber insurance."

Yet companies should also realize that having to make an insurance claim is a poor substitute from blunting the attack in the first place, says Coalition's Ram. 

"There's a reason why cyber is different — different than property, most notably property-related catastrophic events," he says. "Unlike an earthquake, unlike a hurricane, the policyholder has the ability to interdict, right? You can update your software, you can patch, you can put it behind a VPN — there's lots of ways lots of things that you can do to mitigate against a large-scale event."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights