Search This Blog

Showing posts with label NotPetya. Show all posts

Cyber Insurers Redefine State-Sponsored Attacks as an Act of War Amidst Legal Concerns

The U.S. government says that the consequences created by NotPetya were the result of a Russian cyberattack on Ukraine in 2017. This continues to be felt as cyber insurers alter coverage exclusions, further extending the definition of an “act of war.” One can conclude that the 5-year-old cyberattacks seem to be reshaping the cyber insurance industry. 

The parent company of brands like Cadbury, Oreo, Ritz, and Triscuit, ‘Mondelez’ was in fact impacted by NotPetya, where the manufacturing factories and production were interrupted, taking days for the companies’ staff to regain control of their computer systems. The business filed a claim for $100 million in losses to Zurich American, its property and liability insurer. Zurich, after initially agreeing to pay a portion of the claim — $10 million, later withheld payment, claiming the attack was an act of war and hence not covered by the policy. Mondelez later initiated legal action. 

Later, Mondelez and Zurich America allegedly agreed on the original claim of $100 million, but it was not until Merck's $1.4 billion lawsuit against Ace American Insurance Company for its NotPetya-related damages had been successful in January 2022. The claims made by Merck did not pertain to a cyber insurance policy, but rather to its property and casualty policy. 

Back in the year 2017, while cyber insurance policy was still a budding idea, several company giants filed claims for the exploit pertaining to NotPetya – the one due to which an exploit of an estimated $10 billion happened worldwide – against company assets and casualty policies. 

What Has Changed? 

Before the course of the COVID-19 pandemic, until 2020, these cyber insurance policies were being sold in a similar manner as that of a typical home or auto policy, where the company was the least concerned about their cybersecurity profile, or the tools they would use in order to secure and defend its network or data, or its general cyber hygiene. 

But since numerous ransomware attacks hit the organizations that were built off of lax cybersecurity, insurance carriers eventually started altering their requirements, prioritizing their requirements to acquire such policies, says Alla Valente, senior analyst at Forrester Research. 

Currently, the business model for cyber insurance is substantially distinctive from other policies, marking the cyber insurance policies of 2017 as obsolete. 

What is an “Act of War”? 

Every sort of insurance policy, including cyber insurance policies, has a "War Exclusion." A war exclusion clause generally says that no damages resulting from hostile or warlike activities by a state or its agents are covered. Usually, this exclusion is applicable to a “hot war,” like the one we have witnessed in Ukraine in recent times. Although, courts are beginning to consider cyberattacks as potential acts of war, without the declaration of war or any land troop, aircraft, or any material battlefield. The state-sponsored attacks themselves constitute a war footing, as noted by the carriers. 

The terms of cyber policies from Lloyd's of London will now change in April 2023, excluding liability losses brought on by state-sponsored cyberattacks. As stated by Tony Chaudhry, Lloyd’s underwriting director, in a Market Bulletin published in August 2022, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber-related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage." 

In regards to this, Forrester's Valente notes that businesses may have to keep their large cash deposits aside if they ever face a state-sponsored attack. Only if the insurance carriers are successful in claiming in court that a state-sponsored attack is, by definition, an act of war, no business will then have coverage unless they specifically negotiate that into the contract to eliminate the exclusion. 

Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg says that, when purchasing cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms,"

"Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms," he adds.