The consequences from NotPetya, which the US government said was caused by a Russian cyberattack on Ukraine in 2017, continue to be felt as cyber insurers modify coverage exclusions, expanding the definition of an "act of war." Indeed, the 5-year-old cyberattack appears to be turning the cyber insurance market on its head.
Mondelez International, parent of such popular brands as Cadbury, Oreo, Ritz, and Triscuit, was hit hard by NotPetya, with factories and production disrupted. It took days for the company's staff to regain control of its computer systems. The company filed a claim with its property and casualty insurer, Zurich American, for $100 million in losses. After initially approving a fraction of the claim — $10 million — Zurich declined to pay, stating the attack was an act of war and thus excluded from the coverage. Mondelez filed a lawsuit.
Late last month Mondelez and Zurich American reportedly agreed to the original $100 million claim, but that wasn't until after Merck won its $1.4 billion lawsuit against Ace American Insurance Company in January 2022 for its NotPetya-related losses. Merck's claims also were against its property and casualty policy, not a cyber insurance policy.
Back in 2017, cyber insurance policies were still nascent, so many large corporations filed claims for damages related to NotPetya — the scourge that caused an estimated $10 billion in damage worldwide — against corporate property and casualty policies.
The significance of these settlements illustrate an ongoing maturation of the cyber insurance market, says Alla Valente, senior analyst at Forrester Research.
Until 2020 and the COVID-19 pandemic, cyber insurance policies were sold in a fashion akin to traditional home or auto policies, with little concern for a company's cybersecurity profile, the tools it had in place to defend its networks and data, or its general cyber hygiene.
Once a large number of ransomware attacks occurred that built off of the lax cybersecurity many organizations demonstrated, insurance carriers began changing their requirements and tightening the requirements for obtaining such policies, Valente says.
The business model for cyber insurance is dramatically different from other policies, making the cyber insurance policies of 2017 obsolete. Cyber insurance is in a state of flux, with turnover in the carrier market, lower limits on covered offered, and more aggressive terms, including exclusions, over what was in place prior to 2020.
Defining an Act of War
Acts of war are a common insurance exclusion. Traditionally, exclusions required a "hot war," such as what we see in Ukraine today. However, courts are starting to recognize cyberattacks as potential acts of war without a declaration of war or the use of land troops or aircraft. The state-sponsored attack itself constitutes a war footing, the carriers maintain.
In April 2023, new verbiage will go into effect for cyber policies from Lloyd's of London that will exclude liability losses arising from state-backed cyberattacks. In a Market Bulletin released in August 2022, Lloyd's underwriting director Tony Chaudhry wrote, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage."
Lloyd's went on to publish additional supplemental requirements and guidance that modified its rules from 2016, just prior to the NotPetya attack.
Effectively, Forrester's Valente notes, larger enterprises might have to set aside large stores of cash in case they are hit with a state-sponsored attack. Should insurance carriers be successful in asserting in court that a state-sponsored attack is, by definition, an act of war, no company will have coverage unless they negotiate that into the contract specifically to eliminate the exclusion.
When buying cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms," says Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg. "Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms."
For small and midsize businesses (SMBs) that get hit by a state-sponsored attack, it could be "lights out," Valente says. Plus, she emphasizes, SMBs often are targeted if they are primary or secondary suppliers to a large enterprise with information the attacker wants. That means a state-sponsored attack on a small company without the right insurance coverage could be out of business simply because the attacker was a nation-state rather than a cybercriminal.
Understand What Is Covered
While the European and North American cyber insurance markets are similar, they are by no means identical.
"Not every [American] policy will have language recommended by the London insurance market, and those rules do not apply to American insurance carriers," Godes says. "As a best practice, policyholders should consider whether London market insurance carriers are offering the most robust coverage after the recommended changes go into effect."
Godes, whose firm represents the insured rather than the carriers or brokers, notes, "This case is an example to policyholders that when claims get really expensive, carriers will do everything they can to fight coverage. The insured always should remember that the insurance carrier must prove that an exclusion applies. And sometimes," he quips, "the insured will need to litigate with its carrier to get the coverage it thought it was buying."
The upshot from the Merck and Mondelez cases, as well as Lloyd's recent announcement: State-sponsored attacks now fall into the act-of-war exclusion.
"Many carriers are in the process of rewriting their act of war exclusions to address the realities of state-sponsored or assisted cyberattacks and also because courts, as indicated in a few recent decisions and perhaps implied by the Mondelez settlement, are looking skeptically at the application of clauses written for traditional guns and bullets warfare to cyberattacks," says Kenneth Rashbaum, a partner at New York law firm Barton. "I think this is the most significant takeaway from Mondelez and those recent court decisions. Carriers who update their clauses will be more aggressive in denials of coverage for attacks that may be considered state-sponsored, while those that do not update the clauses may be less inclined to rely on them."