The most recent ruling in favour of upholding pharmaceutical giant Merck’s insurance claim for the NotPetya malware attack has highlighted to the wider insurance market the need to sustain its valuable efforts to clarify and communicate coverage for cyber risks. And this is true across stand-alone cyber offerings as well as other insurance lines.
The original claim was for $1.4bn. At the time that the appeal was heard in May 2023, the claim value in issue was just under US $700 Million, and involved eight insurers.
Recent discussions with our members found that they have been actively working since before the 2019 PRA statement to clarify potential cyber exposure across a wide range of product lines and take action to account for this. Generally, the recent 2023 Lloyd’s war exclusions in stand-alone cyber are seen as a useful way to provide managed cover there. And innovation still exists through alternative forms of capital to provide cover for cyber catastrophe risk. For example Beazley and Chubb are offering solutions.
The Evolving Cyber Landscape
Regarding the broader question of the threat landscape, since before the start of the war in Ukraine there has been sustained debate about the likelihood of a large-scale, nation-state cyber attack, for example on part of the UK’s critical infrastructure. Some are calling for a particular solution to these potentially significantly disruptive scenarios. On the other hand, others suggest that we should focus on the relatively less catastrophic, but persistent and more widespread economically-driven attacks that make up the majority of issues facing UK businesses and which can significantly weaken the economy. There is also an emerging trend of some market players seeking to break new ground and offer wider coverage for a wider range of threats, outside of Lloyd’s, particularly in the domestic US market. This may be a sign of the softening market and the lack of loss history for new entrants. Nevertheless, the issue of threats and attribution in claims situations requires close consideration, and insurers are more eager than ever to better understand the threat landscape whenever possible.
We can see that the Appellate Division of the Superior Court of New Jersey in the pharmaceutical company Merck case, ruled that the 2017 NotPetya malware attack did not fall under the policy exclusion for "hostile or warlike" acts. The insurers had argued that "hostile" should be interpreted broadly to encompass any action reflecting ill will or a desire to harm. However, the Appellate Division disagreed and upheld the insured's position. The court emphasized that the exclusion clause requires military action or objectives and cannot be stretched to include cyber attacks unrelated to armed conflict.
Implications for the Insurance Industry
War exclusions in insurance policies aim to protect insurers' financial stability by limiting claims resulting from large-scale risks. The court's decision highlights the need for clear exclusion clauses that account for the evolving nature of risks in the modern world.
The decision therefore has potentially significant implications for the insurance industry, particularly in the realm of cyber insurance. Insurers need to carefully consider the potential ramifications of cyber-attacks, including property damage, bodily injury, and death, when crafting policy exclusions or standalone cyber insurance products.
While insurers have been working for a number of years now on improving wordings and clarity of policy coverage, with guidelines and requirements issued by the PRA and Lloyd’s designed to improve certainty, these still remain largely untested. Attribution is inherently difficult. With whom the onus for attribution should lie and the ability to evidence attribution in a clear and defensible way remain concerns, despite improved clarity of policy terms.
Determining the scope of coverage for state-sponsored cyber attacks, the ability to cover for catastrophe and systemic cyber risks and differentiating between cyber war and terrorism pose ongoing challenges for insurers, policyholders and regulators. The evolving cyber landscape necessitates continuous adaptation and a relentless effort to win the battle for greater certainty against an ever-increasing set of uncertain, emerging risks.