Insurance for cyberattacks has been a thriving business, but insurers are concerned about the risk of large losses as a result of Russia’s invasion of Ukraine. They’re hurrying to close a possible loophole that exposes them.
Companies wanted to protect themselves from the expenses of ransomware and computer infections that may destroy their operations, and sales of cyber insurance more than doubled last year to almost $15 billion.
These policies, like most others, provide exceptions for acts of war. The goal is to insulate insurers from claims related to cyberattacks perpetrated by governments, their armies, or third-party contractors.
Last year, though, a judge in New Jersey pierced that restriction with a finding that essentially stated that a common acts-of-war exclusion does not encompass cyberattacks. Insurers are now looking into methods to toughen up that language in future contracts, fearing that cyberattack claims under existing insurance stemming from Russia’s invasion could damage them.
The invasion of Ukraine, according to Fitch Ratings, “has increased the risk of cyberattacks and potential claim costs” for insurers, who may “further test the effectiveness of ‘war exclusion’ and ‘hostile act exclusion’ language,” which has already been under review since the judgement.
In the conflict so far, there have been no major cyberattacks. However, the Kremlin has the financial means to carry them out, and vigilante hackers on both sides of the battle have added to the digital chaos.
Merck & Co., a pharmaceutical company, claimed in the New Jersey case that a 2017 cyberattack cost them $1.4 billion. Merck’s claim was denied by nearly three dozen of the company’s property insurers, citing war exclusions. The crisis was caused by a cyberattack known as NotPetya, which started with a cyberattack against a Ukrainian accounting firm and spread to other organizations’ computer networks all over the world. The event was blamed on Russian military hackers, according to the White House, and was described as the most costly and damaging cyberattack ever.
The judge ruled against the insurers, claiming that their exclusions covered war and hostile acts but not cyberattacks, despite the fact that such attacks had been on the rise for years.
The judge concluded, “Merck had every right to anticipate that the exclusions applied only to traditional forms of warfare.”
Some insurers have reached an agreement with Merck, while others have filed an appeal.
To protect themselves from cyberattacks during conflict, insurers are using two approaches. The verdict “undermines the insurance market’s ability to underwrite cyber risk,” according to the American Property Casualty Insurance Association, by burdening insurers with “far-reaching liability from hostile nation-state cyberattacks they never accepted.”
Because the stakes are larger, insurers are becoming more picky than ever about the clients they accept or renew, looking for solid network security. “It’s a very onerous process for an insured today to buy cyber insurance,” according to Henry Clark, head of professional and executive risks at Australian broker Honan Insurance Group.
The second option is for those in the insurance business to rewrite the long-standing war exclusions. However, they must exercise caution because if they are overly wide, firms would refuse to purchase the coverage.
The Lloyd’s Market Association, a trade body, offered new phrasing in November, but only a few Lloyd’s syndicates have accepted it to date, according to Thomas Reagan, cyber practice head at Marsh McLennan Cos. “Excessively broad and unacceptably ambiguous exclusions” are causing anxiety among brokers and policyholders, he said.
Emails addressed to the association and Lloyd’s seeking comment on the phrasing were not returned.
Cyber insurance can be purchased separately or as part of a larger package, and covers expenditures such as repairing a breach, restoring data, notifying customers, and monitoring their credit. Terms can be very different.
Due to a surge in ransomware assaults, the cyber product hasn’t been as profitable as it once was, necessitating recent pricing increases to cover the increased costs. According to Marsh, premiums increased by an average of 130 percent in the United States and 92 percent in the United Kingdom in the fourth quarter compared to the previous year.
Companies “might be paying multiples more for the coverage they received two or three years ago, if they can find that coverage at all,” according to Mark Dwelle, an analyst at RBC Capital Markets.
Image Credit: Getty
You were reading: A common acts-of-war exclusion doesn’t apply here