# Opener

Will Your Insurance Policies Step in After a Cyber-Attack?

Published by Axio

In this part of the blog series on the connection between cybersecurity and insurance, we go through a real-life situation that demonstrates how insurance policies may or may not provide you the necessary coverage in the event of a cyber-attack.     

A Standalone Cyber Insurance Policy Isn’t Enough

As discussed in our previous blog, a stand-alone cybersecurity insurance policy has the capability to cover many types of losses resulting from a cyber event. Hundreds of insurance carriers provide these types of policies with various levels of coverage. However, real world scenarios demonstrate cyber risks can impact every single element of the business, especially if a company is heavily reliant on physical assets and infrastructure for generating revenue.

Relying on Other Insurance Policies is Dangerous

An organization may feel they are protected from a cyber event because they have a comprehensive insurance portfolio for property and casualty.

Unfortunately, this assumption has proven to be a false sense of financial control when cyber threats are realized. During the 2017 global NotPetya cyber-attack, many affected organizations ended up incurring losses not covered by their insurance portfolio because of exclusions and clauses in their policies. Often, the financial repercussions were in the hundreds of millions of dollars. A famous example is the financial and tangible impacts incurred by the pharmaceutical giant, Merck.

According to an article in Insurance Journal titled, “Was It an Act of War? That’s Merck Cyber Attack’s $1.3 Billion Insurance Question.”:

“The attack crippled more than 30,000 laptop and desktop computers at the global drug maker, as well as 7,500 servers, according to a person familiar with the matter. Sales, manufacturing, and research units were all hit. One researcher told a colleague she’d lost 15 years of her work. A manufacturing facility that supplies vaccines for the U.S. market had ground to a halt.”

“As it turned out, NotPetya’s real targets were half a world away, in Ukraine, which has been in heightened conflict with Russia since 2014. Merck was apparently collateral damage. NotPetya contaminated Merck via a server in its Ukraine office that was running an infected tax software application called M.E.Doc.”

“By the end of 2017, Merck estimated initially in regulatory filings that the malware did $870 million in damages. Among other things, NotPetya also crippled Merck’s production facilities. It couldn’t meet demand that year for Gardasil 9, the leading vaccine against the human papillomavirus, or HPV, which can cause cervical cancer. Merck had to borrow 1.8 million doses—the entire U.S. emergency supply—from the Pediatric National Stockpile. It took Merck 18 months to replenish the cache, valued at $240 million.”

War Exclusion

“Merck did what any of us would do when facing a disaster: It turned to its insurers. After all, through its property policies, the company was covered—after a $150 million deductible—to the tune of $1.75 billion for catastrophic risks including the destruction of computer data, coding, and software. So, it was stunned when most of its 30 insurers and reinsurers denied coverage under those policies. Why? Because Merck’s property policies specifically excluded another class of risk: an act of war.”

“Merck went to court, suing its insurers, including such industry titans as Allianz SE and American International Group Inc., for breach of contract, ultimately claiming $1.3 billion in losses.”

“Until recently, the big worry associated with cyber-attacks was data loss. The NotPetya strike shows how a few hundred lines of malicious code can bring a company to its knees.”

The court proceedings are still ongoing, but the financial repercussions have sent a shockwave both in the insurance and cybersecurity industry. The need for clarity and removing complexity around cybersecurity and insurance has become a priority. One needs to take a step back and think about what exactly is written in your broader insurance portfolio.

The NotPetya malware impacted several of the world’s largest organizations. They endured financial impacts due to paralyzed operations:

  • Merck – $870M
  • FedEx – $400M
  • Maersk – $300M
  • Mondelez – $188M

Your Other Insurance Policies Need to be Understood Scientifically

Do other insurance policies, like property and casualty protect against cyber risk?

In general, there are three positions an insurer can take in regard to covering a cyber risk:

  1. “Other Insurance” Clause may make professional liability policy primary
  2. It’s not covered (exclusions/clauses)
  3. There’s no clear position (non-affirmative/silence).

The first two positions leave no doubt in the event of a cyber risk being realized. The third position can create problems.

Why Relying on Silent Cyber is Dangerous

The lack of clarity in silent cyber property and casualty policies has led some insured companies to believe that they have adequate coverage for cyber risk.

However, the definition of cyber risk continues to evolve. Non-affirmative (silent) language may end up being subject to different interpretation dependent on the insurer. Insured organizations such as Merck have tried to be covered by these policies, and often the intervention of the court is required, delaying compensation for loss recovery and business continuity.

Regulators are also concerned with silent cyber because it can represent a significant risk to the strength of a corporate insurance portfolio. For industries in critical infrastructure, manufacturing, and mission critical services, this can create a much greater level of exposure to systemic risk.

As for the actual insurer, non-affirmative language fails to account for hidden risks and results in inaccurate pricing of policies.

So, What Are Insurers Doing to Address the Issue of Silent Cyber?

Insurers are taking several steps to address silent cyber, some of which are being required by regulators.

Some insurers have made announcements to clarify their intent in regard to coverage. For example, Lloyds of London told insurers in its market that all new and existing policies must either exclude cyber cover or explicitly include it by 2021.

Evidently, having a clear understanding of your coverage is essential to business recovery and continuity. In the next blog, we go over how organizations can fully comprehend their insurance policies and the exclusions within the entire portfolio.