How NotPetya reveals the future of cyber risks & damages

In the aftermath of NotPetya, major global companies looked to their insurers to cover the losses.

While the White House and federal agencies such as the Cybersecurity and Infrastructure Agency have recently stressed the risk of Russian attacks on critical infrastructure companies, it is the potential of collateral damage against much smaller downstream vendors and unrelated companies that remains high due to the potential for self-propagating malware. (Credit: Anatoliy Babiy)

On March 21, 2022, President Biden warned the nation that intelligence reports indicated that Russia was exploring cyberattacks against American companies, stating “… one of the tools [Putin is] most likely to use in my view, in our view, is cyberattacks.” This escalated threat comes on the heels of the imposition of severe sanctions on Russia as a result of its invasion of Ukraine.

This increased risk of potentially devastating cyberattacks occurs amidst an already fraught environment in which ransomware attacks more than doubled in 2021, and after a brief retreat this past January are back on the rise. As a result, cyber insurance providers have had to re-evaluate how to account for the additional risk posed by cyberattacks in a war-time setting. It is against this already-complicated background that made the December 2021 decision in Merck & Co., Inc. and International Indemnity v. Ace American Insurance Company by a New Jersey Superior Court notable for its potential consequences to the cyber insurance market for small- to medium-sized American businesses.

Despite the massive increase in cyberattacks facing American companies over the last five years, the risk of a direct Russian cyberattack on smaller companies is unlikely. Rather, while the White House and federal agencies such as the Cybersecurity and Infrastructure Agency have recently stressed the risk of Russian attacks on critical infrastructure companies, it is the potential of collateral damage against much smaller downstream vendors and unrelated companies that remains high due to the potential for self-propagating malware.

The best-known example of this is of course the NotPetya attack. In the summer of 2017, Russia launched a ransomware attack against a Ukrainian tax preparation software company as part of its years-long assault on Ukraine. The attack led to the infection of dozens of Ukrainian companies and institutions, including the National Bank of Ukraine, but almost immediately created global ripples, leading eventually to billions of dollars in damages. Victims included international shipping behemoth Maersk, Mondelez International, and pharmaceutical giant Merck, but also much smaller entities. Regardless of size, these victims found themselves completely locked out of their networked systems, grinding them to an operational standstill. In effect, they had become collateral damage in Russia’s cyber campaign against Ukraine.

In the aftermath of NotPetya, both Mondelez and Merck looked to their insurers to cover costs. Merck sought to invoke its all-risk property insurance policy with Ace American to cover more than $1.4 billion in losses it had sustained. This policy, unlike more focused cyber insurance policies, contained an industry-standard war exclusion. In pertinent part, the exclusion indicated that the policy did not apply to “Loss or damage caused by hostile or warlike action in time of peace or war … by any government or sovereign power (de jure or de facto) by any authority maintaining or using military, naval or air forces … or by an agent of such government.” Ace American relied on this exclusion to disclaim coverage, claiming that NotPetya was “an instrument of the Russian Federation as part of its ongoing hostilities against the nation of Ukraine.”

After lengthy proceedings, the court found in December 2021 in an 11-page decision that Merck was indeed entitled to summary judgment on the grounds that the warlike exclusion was inapplicable to the type of attack that Merck had sustained. In rendering its decision, the court relied heavily on contract rules of construction to determine Merck’s “reasonable expectations,” noting that in the context of all-risk policies, “[e]xclusions ‘will be given the interpretation which is most beneficial to the assured.”

The court further stated that, despite the knowledge that cyberattacks had “become more common,” Ace American’s failure to change the exclusion’s language meant Merck “had every right to anticipate that the exclusion applied only to traditional forms of warfare.” The decision, however, did little to address issues of attack attribution, which is likely to be a focal point of future similarly situated cases, thereby failing to provide certainty and instead suggesting that carriers will have to provide carve outs for multiple factual permutations. (The New Jersey Appellate Division granted Ace American’s motion for leave to appeal on February 24th).

Cyber & war exclusions

Even before this decision, however, the insurance industry had already taken steps to reformulate their war exclusion in the cyber context in face of a volatile landscape. In November 2021, Lloyds Market Association (UK) published four new cyberwarfare exclusions for use by underwriters. These exclusions would limit coverage for “cyber operations” conducted on behalf of a nation-state. And, while insurers frequently include policy carve-backs for cyberterrorism attacks (for which the motivation is political or ideological, for instance), these too can be limited if the attack is found to be within the context of war-like operations. Casting a long shadow for insurers, insureds, and the courts, however, is the question of determining attribution to resolve whether such exclusions apply.

As such, the question of determining if a cyberattack falls under an applicable war or cyberwar exclusion, regardless of the type of policy, will be heavily fact-dependent and carry several challenges.

Unlike traditional armed conflict in which the source of tanks and troops can be readily identified, determining the source of a cyberattack is a murky proposition at best. And insurers are poorly positioned to make such determinations given the sophisticated technical know-how such an analysis requires. Instead, attribution for large-scale cyberattacks is largely left to the federal government and private cybersecurity firms (putting aside the question of whether a government may withhold public attribution for strategic reasons).

In 2017, for instance, the U.S. government waited eight months before attributing NotPetya to Russian forces. Separately, Russian-speaking ransomware gangs such as Conti, DarkSide or REvil may publicly take responsibility for an attack on American critical infrastructure companies, but cyberterrorism or war-exclusion inquiries will necessitate a finding whether these gangs are operating as agents of a nation-state such as Russia, or whether their interests happen to align with a nation-state, or even whether they are using traditional warfare as a smokescreen for their actions.

For instance, in much-publicized comments, the Conti group voiced its support at the end of February for Russia’s invasion of Ukraine by stating that “[i]f anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy.”

So while internal Conti chats that were leaked in the aftermath of the Russian invasion revealed a number of connections with Russia’s Federal Security Service (FSB). The same FSBs arrested a number of REvil members this past January, which makes figuring out whether such groups and their attacks are state-sponsored or politically motivated is complicated at best. Instead, insurers instead will likely use a “widely reported” barometer to make these decisions. And, because these analyses will necessarily be nuanced and without the benefit of all facts, increased litigation seems inevitable.

The difficulty in making these determinations underscores the risks for small to medium-sized businesses. The National Cyber Security Alliance has previously indicated that 60% of small businesses go out of business within six months of a cyberattack. Aaron Weaver, The Disturbing Facts About Small Businesses That Get Hacked, Hacked.com (April 13, 2021).

The need for cyber insurance is therefore self-evident. And yet, according to a November 2021 survey by AdvisorSmith, only 17% of American small businesses (generally defined by the U.S. Small Business Administration as having fewer than 1,500 employees and less than $38.5 million in revenue) have cyber insurance. See Adrian Mak, Report: 64% of Small Business Owners Not Familiar With Cyber Insurance, AdvisorSmith (Nov. 30, 2021); Andrew W. Hait, The Majority of U.S. Businesses Have Fewer Than Five Employees, U.S. Census Bureau (Jan. 19, 2021). Meanwhile, the massive increase in cyberattacks over the last five years has predictably changed the cyber insurance market from one in which insurers were racing to gain customers with broad policy language, including the removal of war-exclusion provisions altogether, to one in which rates have dramatically increased, policy language has tightened, and coverage limits reduced. According to March Schein of Marsh McLennan, the average rate increase in cyber policies increased 128% in September of 2021 alone, while limits dropped 23%. Stephen Lawton, Experts offer advice on cyber insurance trends, qualifying for coverage, Sophos News (March 25, 2022). To add to this, the Merck decision is likely to factor in insurers’ minds when drafting subsequent policies, making sure that exclusions and/or carve-outs are carefully tailored. In the face of these increased risks, insurers have increasingly required the implementation of baseline risk control measures as a condition of insurance, such as the use of enterprise two-factor authentication. For many unsophisticated small businesses, the imposition of such otherwise reasonable conditions carries in and of itself implementation costs, leading to the oft-heard refrain of “but it won’t happen to me” and the decision not to obtain cyber insurance.

The proliferation of cyberattacks and the heightened risk brought on by the war in Ukraine therefore underscores the necessity of cyber insurance but also importantly the insured’s need for quick payment to cover remediation, incident response, and regulatory compliance costs. The aforementioned issues with attribution consequently puts insured small to medium sized businesses with an immediate need for cash on a collision course with their insurers, who are unlikely to disclaim coverage given the lack of factual clarity, but who may increasingly send reservation of rights letters to offer some measure of protection. In short, the only certainty will be the lack of certainty in the immediate for both insured and insurer, and the potential for litigation in the long term.

James Vinocur is a partner at Goldberg Segalla.

Opinions expressed here are the author’s own. 

Related: