March 28, 2024 By Mike Elgan 3 min read

A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?

In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.

NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit that harvested user passwords from Windows machines.

The malware was designed to infect without user action, move laterally inside networks and spread very fast, sometimes taking down networks in less than a minute. Once executed, it would overwrite the master boot record, preventing it from booting.

A ransom note demanded payment for decryption. But there was no mechanism or plan for doing so. Its purpose was to convince victims they were hit by ransomware. In fact, NotPetya existed only to destroy data without a path to recovery.

Merck v. Ace American

Merck estimated that the attack cost $1.4 billion. Those costs included a temporary loss of production capacity, as well as the cost of equipment and new IT hiring necessary to recover.

The company had a $1.75 billion “all-risk” insurance policy with Ace American. But the company rejected their claim, saying that because NotPetya started in the Russia/Ukraine war, the “Acts of War” exclusion clause meant they didn’t have to pay.

Merck sued Ace American in November 2019. Their case centered mainly on the argument that the attack was not the result of an official state action and that Merck was a mere bystander outside the theater of conflict. New Jersey Superior Court judge Thomas J. Walsh found for Merck.

Ace American appealed, and the state appellate court in the case found that the war exclusion clause provision in insurance policies — which excludes coverage for losses caused by hostile or warlike actions by governments — did not apply in the case.

The two parties reached a confidential settlement with insurers on January 5, 2024.

Other major companies went through similar legal scenarios and also settled, albeit likely for smaller amounts.

The battle over war exclusions

The outcome of the case was neither entirely predictable nor necessarily intuitive. NotPetya itself is widely believed to have begun in a war — attributed to the Russian government (specifically the Sandworm hacking group within Russian military intelligence) and initiated in Ukraine for the assumed purpose of furthering Russia’s aims in that conflict.

Though probably an act of cyber war, the attack then spread outside Ukraine to machines globally, causing what might be described as collateral damage.

Cyber insurance policies typically contain war exclusion clauses. For example, The Lloyd’s Market Association (LMA) published guidance for cyber war exclusion clauses. They recommend that exclusion won’t apply to cyber operations conducted by nation-states outside an actual hot war under certain circumstances. For example, if the cyberattack took place outside the theater of conflict or if the business wasn’t the intended target.

The court’s ruling was consistent with Lloyd’s guidance, finding that the war exclusion clause did not apply to the circumstances of the NotPetya attack.

Still, the ruling was significant. Some of the most sophisticated and damaging cyberattacks are the result of actions by nation-states to attack rivals or enemies. If insurance companies can’t use standard war exclusion clauses for these damaging, state-sponsored cyberattacks, they’ll need to adjust policies, raise prices or both going forward.

The latest change in a fast-changing industry

The cyber insurance landscape has been in flux for at least a decade. As a result of increasingly costly cyberattacks, insurance customers have been hit with rising premiums, stricter underwriting requirements and narrowed coverage.

These changes have come about because of a wide variety of trends in the cyberattack landscape, including the ransomware trends of a few years ago.

Global cyber insurance premiums have risen from under $5 billion in 2018 to an estimated $18 billion this year, according to the Swiss Re Institute.

Companies have been required to get their cybersecurity houses in order under increasingly strict guidelines just to get coverage at all. Insurance companies are taking longer to approve who they cover and are becoming more selective.

Coverage is narrowing in part through a rising number of exclusions that void coverage under certain circumstances (and the “war exclusion” was a big one).

The Merck settlement has focused industry attention on the challenges of defining war exclusions in cyber insurance policies. Insurance companies are likely to further tighten language, especially for war exclusion — a trend that had already begun in 2022.

And it’s shifted attention among buyers of insurance as well. Companies will need to take a hard look at exclusions, waiting periods, policy limits and other factors when considering an insurance provider. Another important element is to estimate whether a company might be victimized or targeted as the result of geopolitical events and consider how exclusions may leave them without payouts should serious state-sponsored cyberattacks occur.

And above all, focus on actual cybersecurity — especially automation tools and AI.

While Merck and related lawsuits and settlements are likely to make a material contribution to changes in the costs, policies, exclusions and limits of cybersecurity insurance, the greater contributing factor is the increasing sophistication and costliness of cyberattacks generally.

More from Risk Management

What can businesses learn from the rise of cyber espionage?

4 min read - It’s not just government organizations that need to worry about cyber espionage campaigns — the entire business world is also a target.Multipolarity has been a defining trend in geopolitics in recent years. Rivalries between the world’s great powers continue to test the limits of globalism, resulting in growing disruption to international supply chains and economics. Global political risk has reached its highest level in decades, and even though corporate attention to geopolitics has dropped since peaking in 2022, the impact…

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today