Although “Acts of War” are often excluded from insurance policies, cyberwarfare typically exists in a different realm. Even though several insurers have declared cyber attacks by state-sponsored actors as acts of war, a recent court ruling found an insurer liable for losses stemming from the 2017 NotPetya malware attack against pharmaceutical giant Merck & Co. In the landmark decision, Merck & Co was awarded $1.4 billion by the New Jersey court.
Until now, one of the issues for insurance underwriters, while addressing state-sponsored cyberattacks, was pinpointing individuals responsible for such attacks—since they are not typically acknowledged by state actors. In the Merck & Co attack, several countries pointed their fingers at Russia, while Russia called the accusations against it groundless.
Merck argued that the attack was ransomware (covered by the policy) in nature— and was still considered a form of extortion. The court agreed with the company that the term “warlike action” refers to a conflict between two or more nations involved in a war. The court also noted that “[n]o court has applied a war (or hostile acts) exclusion to anything close to” a malware attack. It ruled in favor of Merck, indicating that the insurers did nothing to change the language of the exemption to reasonably put the insured on notice that they intended to exclude cyberattacks.
Even if state actors are suspected of carrying out the attacks, courts may still allow policies to be interpreted according to the language used by the insurance companies, but the Merck vs Ace American case became the first major exception.
Ukraine and Russia
Now with Russia’s invasion of Ukraine, the number of cyber incidents has increased significantly. According to authorities, the attacks could affect various sectors of the economy, including financial institutions and infrastructure in most countries.
This leaves the cyber insurance industry to grapple with acts of war exclusion in policies.
To avoid paying on a claim related to a cyber attack under these exclusions, insurance companies will need to concretely prove that the incident was caused by a state-sponsored attack.
The Lloyd’s Market Association’s Cyber Business Panel has recently published four new cyber insurance policies that broaden the protection offered to insurance customers against state-sponsored cyber attacks or cyber war-like scenarios.
As part of their ongoing responsibilities, corporate counsel, chief information officers, and financial officers should regularly review cyber insurance policies. This process should involve assessing the coverage and assessing its effectiveness.
By reviewing their policies and procedures, the CIOs can help guide the board and develop effective policies and procedures. This ensures that their organizations’ security protocols and procedures are aligned with established frameworks and assessments.
At this point, it may well be established that understanding your cybersecurity risks and choosing the best cybersecurity insurance policy is the need of the hour.
We are here to help you take the best route possible for a safe cyber journey.
Steps to Take Before You Get a Cyber Insurance
You must show the insurance service providers that you mean business when it comes to going digital. You need to show them that you have defenses in place, you have a general understanding of the vulnerabilities present, and you have taken proactive steps in place to respond to a breach to reduce exposure and loss.
Incident Response Plan
A cyber insurance policy expects businesses to take a few preliminary steps to analyze and defend against a potential cyberattack. A cyber insurer often conducts comprehensive on-site audits to evaluate your cyber-risk management practices and risk exposure. It is recommended to have a comprehensive Incident Response Plan in place before obtaining cyber insurance. Having this plan often reduces your premium, and you may expect to pay lower deductibles.
Similar to other types of insurance if you fail to take the proper precautions, you can expect to pay more. Here is a quick checklist that we, at Alliant Cybersecurity can help you achieve before you apply for cyber insurance:
- Have adequate cybersecurity testing procedures and audits.
- Have sufficient processes to stay current on new releases and patches.
- Have adequate cyber incident response plans
- Have adequate backup processes and recovery procedures
- Have adequate policies concerning the security of vendors and business partners
- Practice regular quality security software and employee training
- Adherence to a published security standard
Alliant Cybersecurity Advantage
Contact our team at Alliant Cybersecurity now to get a detailed analysis of:
- Your current cyber posture
- Current industry cyber standards
- Steps to improve your cyber posture to reduce premium and increase coverage
- Find or suggest a suitable cyber insurance plan