The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses Mondelez International suffered from NotPetya may very well reshape the entire cyber insurance marketplace.
Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world.
Now, however, it’s increasingly clear insurers aren’t off the hook for NotPetya payouts or from covering losses from other attacks with clear links to nation-state hackers.
That’s because in this case, what Mondelez and many other corporations endured was not an act of war, but “collateral damage” in a much larger cyberconflict that had nothing to do with them, said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies.
“We’re going to need to rethink what act of war means in cyberspace when it comes to insurance,” said Lewis. “The current definitions come out of the 19th century when we had pirates, navies and privateers.”
Last week’s ruling in favor of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case. Its insurance companies initially refused to pay for damages from NotPetya. Merck claimed losses that amounted to $1.4 billion. The insurers are appealing the ruling.
While the New Jersey ruling may not have set a binding precedent, “it was certainly an indication of how judges and juries might view Zurich’s argument,” said Josephine Wolff, an associate professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University and author of “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks.”
The Merck and Mondelez cases involved the exact same set of circumstances, which were “not being interpreted, at least so far, as an act of war,” she said. “I don’t think insurers will stop fighting to deny coverage for large state-backed cyberattacks, but I think they will shift the strategy for how they do it by writing new exclusions and moving away from arguing that these attacks are ‘warlike’ acts.”
Insurers seized on the NotPetya episode to test how courts would rule on cyber coverage questions, particularly when there’s so much evidence pointing to one particular nation-state actor. Since NotPetya was widely attributed to the Russian government it gave the industry a “really strong opportunity” to set legal precedent limiting their responsibility in these instances, Wolff said.
Now, she expects insurers will be much more upfront about the fact that they aren’t going to cover acts of cyberwar or limit payouts for NotPetya type incidents in the future.
Already, Lloyd’s of London said it will stop covering certain cyberattacks next year. The Register reported that the company’s underwriting director Tony Chaudhry wrote in a memo that due to “systematic risk” policies should include “a suitable clause excluding liability for losses arising from any state-backed cyberattack.”
“Over time the risks have gotten larger and more people have gotten larger amounts of insurance,” said Ari Schwartz, managing director of cybersecurity services at the Washington law firm Venable LLP. “It started to become a more mature insurance marketplace … [where] they’re not just going to pay every claim.”
Schwartz said many factors contribute to whether NotPetya should be considered an act of war, including whether damages could have been prevented with patching or other “remedial steps which make it seem like it’s not really an act of war.” Timing of the attack and how quickly the company reacts are also key factors.
In September, the Treasury Department asked for industry input on whether it should provide any “support for the cyber insurance market,” FedScoop reported. It is exploring policy measures such as “the creation of a backstop program for cyber insurance risk akin to the Terrorism Risk Insurance Program, which was created after 9/11 to allow Wall Street to continue to offer property insurance policies that include coverage for damage caused by acts of terrorism.”
FedScoop also noted the rising cost of cyber insurance and that the total cost of premiums increased 75% to $4.8 billion in 2021 compared to the previous year, according to data from the ratings agency A.M. Best. “In a June report, the agency noted that the number of reported claims in the U.S. cyber market had swelled to nearly 26,000 during 2021, up from 22,000 in the prior year, and about 6,000 in 2016.”
Despite the fact that the cyber insurance market is still evolving, Davis Hake, vice president of policy for the cyber underwriter Resilience Insurance, said it has matured since the initial 2017 NotPetya attack. There’s “improved coverage clarity and confidence [for] clients in purchasing dedicated cyber insurance.”
Put more simply, insurance companies are becoming more transparent. The judge who ruled against the insurers in the Merck case made that point, too.
“Both parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation states, have become more common,” New Jersey Superior Court Judge Thomas Walsh said in his opinion. “Despite this, insurers did nothing to change the language of the exemption to reasonably put the insured on notice that it intended to exclude cyber attacks.”