Would my cyber insurance policy cover losses due to NotPetya? It’s one important type of question to ask your insurance provider each time before renewal.
The answer from the New Jersey Superior Court for Merck was yes. The War or Hostile Acts exclusion in their policy did not apply and Ace American Insurance Company must pay the $1.4B insurance claim. This result is likely to be appealed.
Before ICS asset owners and other companies looking to transfer cyber risk cheer, the ruling essentially said that Ace American needed to write a better exclusion if this was not to be covered.
despite being “aware that cyber attacks…from private sources and sometimes nation-states have become more common… , Insures did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks”.
Another reason to be pessimistic about future coverage is this case dealt with an all-risk property damage policy. A war or hostile act exclusion might have been upheld if this was a cyber insurance policy.
The response we are already seeing is insurers adding in new and more encompassing exclusions to insurance policies for cyber incidents. Last November Lloyd’s Market Association provided four new cyber war exclusions for potential use by insurers.
These new definitions, exclusions and some wild swings in rates are to be expected in a new insurance market. I’m still bullish that in 3 – 5 years cyber insurance will play a role in cyber risk management (this is the S4x22 Great Debate Topic). Still this ruling and the growing number of exclusions requires some hard questions before you pay that premium, unless you are doing it solely to cover reputational risk so you can say you had cyber insurance.
Some questions I would ask and preferably want the response in writing:
- Would this policy cover a loss due to NotPetya or similar attack attributed to a nation state actor where our company was collateral damage (not a direct target of the attack)?
- Would this policy cover a loss to due to the Solarwinds vulnerability before it was known and a patch available?
If the answer to these questions is no, then the company is essentially self-insured for these incidents. This type of incident is expected to grow and can be the most difficult to prevent, certainly the case with Solarwinds. If we have to self insure against the hard to stop and potential large impact events, shouldn’t we be able to self-insure against the criminal or other attacks that might be covered. Of course, the rate and coverage would play a role in the decision.
The other area to question is are we covered if our security program is not perfect. If it does not meet an answer that was given in the questionnaire we answered and submitted. For example Colonial Pipeline had two-factor remote access for employees and contractors, but they missed a system. I noted in an earlier article that my Professional Liability Insurance had exclusions for incidents caused by exploits of high profile vulnerabilities with patches. Would an attacker who leveraged a cyber asset missing a key patch match an exclusion?
I’m looking forward to getting some cyber insurance experts on the Unsolicited Response show because there are so many questions.