.png)
Nothing like frustrating news on a Monday morning to start a cold week.
Since Friday, several stories arose noting the dramatic increase in the cost of cybersecurity insurance. On Saturday, BleepingComputer reported that an Illinois School District saw a 334% spike in their cybersecurity insurance cost, which purportedly correlates to the number of attacks against their networks and the vulnerabilities therein. In November 2021, an Australian reporter claimed that cybersecurity premiums are estimated to top $34 billion by 2031. More news confirming the continued spike in cybersecurity insurance costs is forthcoming.
On January 13, 2021, a New Jersey Superior Court ruled in an insured’s favor in a claim against its cybersecurity insurance carrier for coverage. The insured, Merck & Co., sought insurance coverage for approximately $1.4 Billion in losses because of a 2017 NotPetya malware attack. According to court documents, the source of the malware was Russian Intelligence, resulting in damage to 40,000 computers.
Prior to the attack, Merck’s previously purchased $1.75 Billion in property insurance, with an “all risks” provision that provided coverage from loss or damages arising from the corruption of computer data and software. The insurer, Ace American Insurance denied coverage, claiming that the “Hostile/Warlike Action” exclusion under the policy precluded any coverage obligation. Clinging to the intelligence showing that an arm of the government of Russia deployed the NotPetya malware, likely as part of an on-going aggression involving Ukraine, Ace American’s argument fell short.
The Court ruled that “under the plain meaning of the language in the exclusion…no court has applied [a war or hostile acts] exclusion to anything remotely close to the facts herein.” The language of the “Hostile/Warlike Action” exclusion remained the same over several decades and if the insurance company wanted cyber-attacks to fall under the exclusion, the language should be changed “to reasonably put this insured on notice that it intended to exclude cyber-attacks.”
While this case is a win for Merck and other insureds, the win is short-lived. With the frequency and intensity of cyber-attacks escalating each year, the lack of U.S.-based workforce capable of adequately defending against network intrusions, there was little incentive for cyber insurance premiums to stagnate or decline. Now, with a major and well-established exclusion found inapplicable to cyber attacks (even those orchestrated by nation states), insurers are further encouraged to raise premiums and deductibles to mitigate inevitable losses.
For businesses of any size, cyber insurance remains critical – particularly as the teleworking trend appears capable of outliving pandemic. Unless and until cyber insurance becomes government-subsidized akin to the National Flood Insurance program, it is imperative to routinely (annually, biannually, quarterly) assess internal cybersecurity posture through a third-party expert, remediate problems in descending order of the scope of the vulnerability, seek simple networking solutions, and employ legal assistance in mitigating risks of attacks both virtually and in the courtroom.
According to Harvard Business Review, “Cyber risks will persist and evolve, and companies will need to manage that risk, including securing insurance protection. Because of the imminent and frequent cyber threat and the lack of historical experience as an industry — remember, the sector is still in its infancy — there is no easy way to fix the market.”