War in Ukraine has insurers worried about cyber policies
Cyber insurance sales more than doubled last year to around $15 billion as companies seek to protect against the costs of ransomware and computer viruses that could cripple their operations.
Like most insurance policies, these include exclusions for acts of war. The aim is to protect insurers against claims related to cyberattacks by governments, their armies or groups working for them.
But a New Jersey judge punched a hole in that exclusion last year in a ruling that essentially said a common exclusion for acts of war does not cover cyberattacks. Now, insurers are exploring ways to strengthen that language in future contracts, fearing they could be hit by claims related to cyberattacks under existing policies stemming from the Russian invasion.
Fitch Ratings warned in a March 1 note that the invasion of Ukraine “has increased the risk of cyberattacks and potential claims costs” for insurers who can “further test the effectiveness of the language” of exclusion from war “and of” exclusion of hostile act “”, already under control since the judgment.
So far, there have been no major cyberattacks during the war. But the Kremlin has the wherewithal to launch them, while hackers on both sides of the conflict have wreaked havoc on the digital front.
In the New Jersey case, drugmaker Merck & Co. claimed it suffered $1.4 billion in losses from a cyberattack in 2017. Its nearly three dozen property insurers denied the claim of Merck, citing wartime exclusions. The incident stemmed from a cyberattack known as NotPetya, which targeted a Ukrainian accounting firm and spread indiscriminately to computer networks of other organizations around the world. The White House attributed the incident to Russian military hackers, calling it the costliest and most destructive cyber attack of all time.
In his ruling against the insurers, the judge said their exclusions related to war and acts of hostility, but not cyberattacks, although such attacks have been on the rise for years.
“Merck had every right to anticipate that the exclusions applied only to traditional forms of warfare,” the judge wrote.
Some insurers have settled with Merck and others have appealed the decision.
Insurers take two paths to protect themselves from cyberattacks in times of war. In its appeal, the trade group American Property Casualty Insurance Association said the decision “undermines the ability of the insurance market to underwrite cyber risk” by burdening insurers with “extensive liability in the event of hostile cyberattacks from ‘Nation-states they never accepted’.
With risk higher, insurers are more selective than ever about which customers they will accept or renew, in search of robust network security. “It’s a very expensive process for an insured today to buy cyber insurance,” said Henry Clark, head of professional and executive risks at Australian broker Honan Insurance Group.
The second way is an effort by some in the insurance industry to reformulate long-standing wartime exclusions. But they have to be careful because if they’re too broad, companies won’t buy the coverage.
The Lloyd’s Market Association, a trade group, proposed new wording in November, but very few Lloyd’s unions have adopted it so far, said Thomas Reagan, head of cyber practice at the Marsh brokerage unit. by Marsh McLennan Cos. broad exclusions and unacceptable ambiguity,” he said.
Representatives for the association and Lloyd’s did not respond to emails seeking comment on the wording.
Cyber insurance can be a stand-alone policy or part of a larger coverage package, covering things like the costs of repairing a breach, restoring data, customer reviews, and monitoring their credit. Terms can vary widely. Chubb Ltd., American International Group Inc. and Travelers Cos. are among the biggest sellers in terms of market share. They declined to comment.
The cyber product has not been as profitable as before due to increasing ransomware attacks, which has led to recent price increases to meet the higher costs. Premiums rose an average of 130% in the US and 92% in the UK in the fourth quarter compared to the year-ago period, according to Marsh.
Combined with more policy restrictions, companies “could pay multiples more for the coverage they received two or three years ago, if they can find that coverage,” said RBC Capital Markets analyst Mark Dwelle. .
Never miss a story! Stay connected and informed with Mint. Download our app now!!