Insurance giant settles NotPetya lawsuit, signaling game-changer for cyber insurance

written by Suzanne Smalley

Zurich’s settlement last week in a $100 million lawsuit over whether Mondelez International should cover losses suffered by NotPetya is very likely to reshape the entire cyber insurance market.

Zurich initially denied Claims from Mondelez The malware, which caused around $10 billion in damages worldwide by experts’ estimates, wreaked havoc on the company’s computer network. The insurance company claimed act of war immunity because it is widely believed that Russian military hackers exploited his NotPetya against Ukrainian companies before spreading it around the world.

But now it is becoming increasingly clear that insurance companies are not indifferent to covering losses from NotPetya payments and other attacks with clear links to nation-state hackers.

That’s because, in this case, it wasn’t an act of war that Mondelez and many other companies endured, but “collateral damage” in a much larger cyber conflict that had nothing to do with them, says Strategic International Issues. Institute.

“We need to rethink what warfare means in cyberspace. insurancesaid Lewis. “The current definition comes from the 19th century, when pirates, naval forces and privateers existed.”

Here is last week’s ruling in favor of Mondelez: January ruling in New Jersey court This favored global pharmaceutical company Merck in a similar case. The company’s insurance company initially refused to pay damages from NotPetya. Merck claimed losses of $1.4 billion. The insurance company is appealing the judgment.

The New Jersey ruling may not have set a binding precedent, but it “showed how judges and juries would view Zurich’s arguments,” said Tufts’ Fletcher School of Law and Diplomacy. said Josephine Wolfe, associate professor of cybersecurity policy atuniversity and author “Cyber ​​Insurance Policy: Rethinking Risk in the Era of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks.”

The Merck and Mondelez incidents involved the exact same set of circumstances and “have not, at least so far, been interpreted as an act of war,” she said. I don’t think we’ll stop fighting to deny compensation for cyberattacks, but by creating new exclusions and moving away from claiming these attacks are “warlike” acts, we can do that. I think we will change our strategy regarding

Insurers used the NotPetya episode to test how courts decide cyber coverage issues. Wolff said that NotPetya was widely believed to be the work of the Russian government, giving the industry a “very powerful opportunity” to give the industry a legal precedent to limit its liability in such cases.

Now, she expects insurance companies to be more outspoken about the fact that they won’t cover acts of cyberwarfare or limit payments for NotPetya-type incidents in the future.

already, Lloyd’s of London said they’re calling it quits Covers specific cyberattacks for next year. reported by the register The company’s director of underwriting, Tony Chaudhry, said in a memo that because of the “systemic risks,” the policy should include “appropriate clauses that exclude liability for losses arising from state-sponsored cyberattacks.” I wrote that there is.

Ari Schwartz, managing director of cybersecurity services at Washington state law firm Venable LLP, said: “It started to become a more mature insurance market… [where] They don’t just pay all bills. ”

Schwartz said many factors contributed to whether NotPetya should be considered an act of war, including whether the damage could have been prevented by patches or other “corrective measures that make it appear that it is not actually an act of war.” said to have contributed. The timing of the attack and the speed of the company’s response are also important factors.

In September, the Treasury Department asked for industry input on whether it should provide “support for the cyber insurance market.” Reported by FedScoop“We are considering policy measures such as creating a backstop program for cyber insurance risk, similar to the Terrorism Risk Insurance Program, which will allow Wall Street to continue to provide property insurance, including coverage for damages, after 9/11. It was created to allow for an act of terrorism.”

FedScoop also noted the rising cost of cyber insurance, with total insurance premium costs growing 75% year-over-year to $4.8 billion in 2021, according to data from rating agency AM Best. . “In its June report, the agency noted that the number of complaints filed in the U.S. cyber market has ballooned from 22,000 the year before and about 6,000 in 2016 to about 26,000 in 2021. pointed out.”

Despite the fact that the cyber insurance market is still evolving, Davis Hake, vice president of policy at cyber underwriter Resilience Insurance, said the market has matured since the first NotPetya attacks in 2017. says. He said, “Coverage has improved clarity and reliability. [for] Clients who purchase dedicated cyber insurance. ”

Simply put, insurers are becoming more transparent.The judge who ruled against the insurers in the Merck case pointed out thatthat too.

New Jersey Superior Court Judge Thomas Walsh said, “Both parties to this agreement recognize that various forms of cyber-attacks are sometimes from private sources and sometimes from nation-states.” “Nevertheless, the insurer did nothing to change the wording of the exemption to reasonably notify the insured of its intention to exclude cyberattacks.”

Leave a Comment