The Merck Judgment: Implications for cyber insurers and policyholders
A new court ruling could affect cyber insurance policy exclusions and insureds could assume more costs in the event of a loss. The ruling underscores the fact that cyber insurance is no substitute for cyber defense.
In June 2017, a small vulnerability in a Ukrainian accounting software led to what was possibly one of the most destructive and damaging cyberattacks of all time — the NotPetya. One of its most notable victims was U.S.-based pharma giant Merck, which suffered nearly $870 million in damages and $400 million in lost sales as a direct consequence of the attack.
Once the dust settled, Merck filed a property insurance claim. To the company’s surprise, its insurer, Ace Insurance (Ace), did not honor the policy even though Merck’s policy covered “all risks.” Ace argued that since this was an “act of war” (by Russia), a U.S. insurer is exempted from covering damages related to such acts of war. In a recent landmark judgment, however, a U.S. appellate court rejected Ace’s arguments and awarded Merck with a $1.4 billion payout.
How does this ruling impact insurers?
The underlying message to all insurance carriers is that they must make policy exclusions and conditions crystal clear to customers. Think of it this way: If governments are unable to officially attribute cyberattacks to rogue nations, it is highly unlikely that insurance entities will be able to prove this in courts without the explicit mention of cybersecurity exclusions. Several insurance providers such as Lloyd’s of London have already begun tightening their terms and overhauling contract language.
Cyber insurance is already a high-severity, high-frequency business, but with the judgment, it has become abundantly clear that insurers need to prepare for even higher levels of risk. It is possible that in the coming months, the insurance industry will witness even tighter controls, higher insurance premiums and lower coverage limits. Furthermore, it may even happen that certain businesses (such as critical infrastructure), due to the scale of impact they can have on an economy or particular region, are denied adequate coverage by insurers.
Key takeaways for policyholders
The Merck decision is an important win for policyholders since most insurance policies contain confusing terms like the “act of war” exclusion. The ruling ensures that insurers are more transparent with their exemptions and do not restrict coverage beyond what was already agreed between the parties.
Some takeaways here: First — protect yourself because the government will not. Insurance is only a fallback strategy. Cybersecurity is too big a problem for governments and regulators to solve alone. Thankfully, due to the emergence of cloud computing, security has become more business-friendly if not more easily accessible. Organizations can commit less to maintaining security hardware and software. They can leverage ransomware-mitigation models like SASE (secure access service edge) that offers security delivered as a cloud service, without significant upfront capital expenditure.
Second, some argue that having cyber insurance increases the likelihood of ransomware victims paying extortionists because ultimately, their losses will be covered. Evidence suggests that attackers might select victims based on their level of insurance coverage. An insurance policy will mandate that policyholders install specific controls that help shrink the attack surface. In case of an incident or crisis, cyber insurance can mitigate some financial risk and offer resources like advanced security audits during the pre-underwriting stage. Ideally, all this will lead to faster recovery.
With more civilian targets left to defend themselves by their own governments, the cyber insurance market will certainly be interesting to watch. Organizations need to rethink their cybersecurity approaches in line with evolving threats because better defenses were never about better cyber insurance.
Shlomo Kramer is co-founder and CEO of Cato Networks, a network security company that develops secure access service edge technology. A serial entrepreneur, Kramer co-founded Check Point Software, which created the first commercial firewall, and Imperva, innovator of the web application firewall. Kramer made early investments in highly successful enterprise software companies including Palo Alto Networks, Trusteer, Gong, and many others.
Related:
As war rages on, cyber insurers war exclusion clauses face reckoning
Revisiting insurance’s ‘War Exclusion’ in the age of cyberwarfare
Worried about losing your data in a disaster? Ask your IT team these questions