ABSTRACT: cyber-risk is a source of opportunity but also of uncertainty towards traditional property and civil liability insurance policies. Cyber-insurance has been born to prevent silent cyber. We analyse the implications of NotPetya case for the future of insurance and reinsurance market in Spain.
The emergence of a “cyber-universe”, in a relentless expansion, entails a source of opportunity, but it also creates a number of uncertainties that foresee a “revolution” in the insurance world; cyber-risks are forcing insurance and reinsurance companies to introduce significant changes in different branches and at different times of the insurance cycle: from the moment of underwriting, claims handling, daily management of policies, calculation of premiums or the reinsurance itself.
Cyber-insurances burst into a market where known risks tend to be insured. For their part, cyber-risks behaviour is seeking an arrangement in the already existing policies, which weren’t designed for them. These cyber-risks, unknown at the time of underwriting or simply uninsured, are known as silent cyber.
Silent cyber is a source of ambiguity and conflict between insurer-insured with far-reaching implications.
As we foresaw in our article of last December 2019 “Cyber-risk and cyber-insurance: the necessary uncertainty”, the main damage related to silent cyber is the loss of profits as a consequence of the shutdown of business, own damage (loss of data, hardware…) and other consequential damages.
In view of the kind of damages that cyber-risks cause, property and civil liability policies will suffer the most the effects of silent cyber, because those policies cover the loss of earnings arising from cessation/shutdown of activities. Thus, the current scenario is policyholders/insured claiming the property or civil liability insurance companies to cover damages arising from a “cyber-claim”.
This was the context of the ransomware NotPetya in 2017.
Ransomware is the name of the software that aims to take data hostage, i.e. a software expressly designed to block access to data until a ransom is paid.
On 27 June 2017, NotPetya (a refined version of the already known Petya) infected the server of the pharmaceutical company Merck and Co. in Ukraine and shortly spread to over 30,000 computers and 7,500 company servers all around the world. Companies such as Mondelez, WPP, FedEx or Maersk also suffered the consequences of NotPetya.
NotPetya, among other consequences, caused the business cessation of the pharmaceutical giant Merck & Co. that, once the crisis was handled, had damages amounting US$1.3 billion between loss of data, hardware and earnings arising from interrupted production. The ransom requested per blocked device amounted to 300 dollars in bitcoin.
NotPetya wasn’t aiming for Merck & Co.’s production activity. According to several intelligence agencies, NotPetya aimed for Ukrainian financial and governmental institutions, within the logic of a war conflict that nowadays is still unsolved between the Russian Federation and Ukraine. At this point, it should be noted that is technically very difficult to know the actual origin of a cyber-attack; in fact, some Russian strategic companies also suffered the consequences of NotPetya and the Russian Government always denied the attack’s authorship.
From the insurance point of view, the issue of interest lies in the laboratory Merck & Co. stating a damage amounting to US$1.3 billion to different insurance and reinsurance companies (over 30). According to Merck & Co.’s construction, damages caused by NotPetya were imputable to property policies.
Merck & Co.’s insurance companies refused the coverage, deeming the suffered damages a consequence of “acts of war” and, therefore, within the traditional coverage exclusion (damages due to war conflict, revolution, terrorism, extreme climate events…)
The conflict was served and, given the large amount of damages caused by NotPetya, it was impossible to compromise. Now, a New Jersey court will decide on the construction of the coverage exclusion “acts of war” that most property or civil liability policies have.
In this sense, can a cyber-attack be deemed as an “act of war”? Is it possible to deem, in a global context, that side effects of a cyber-attack (collateral victims) are also victims of an “act of war”? Can a company be also deemed as a victim of a cyber-attack when it is not the target (collateral victim)? Or can only the targeted company be deemed “cyber-attacked”?
This is not trivial matter. The silent cyber might be allocated to property policy if we completely decontextualize the damage source or, if, as the laboratory states, there is no evidence of Merck & Co. being a collateral victim of a cyber-attack that got out hands.
On the contrary, assuming that property and civil liability insurance companies must cover massive damages caused by ransomware, in a war context, would mean allotting to a policy, which is not designed to handle the potentially catastrophic effects of cyber-risks, damages form which no premium has been met. At this point, one must ask whether allocating a “cyber-claim” to a property or civil liability policy makes sense, since there are (already) cyber-insurances in the market.
In view of the above, the case of NotPetya is an insurance drama that won’t end well, either for Merck & Co., or the insurer and reinsurer pool.
In the event that the New Jersey court decides allocating silent cyber to Merck & Co.’s property or civil liability policies, it would trigger a real revolution in the insurance industry that would force to recalculate premiums, at the risk that the described scenario is repeated anywhere else, for a similar amount or even higher.
At Belzuz Abogados, S.L.P. Insurance Law Department, we recommend minimising at all costs the effects of silent cyber and reducing every ambiguity when underwriting a property or civil liability policy: either a limited cyber-risks coverage is taken out, with which the premium may be adjusted and made competitive for the market, or the cyber-risks coverage exclusion is specified and a separate cyber-insurance is taken out. Only this way conflicts between policyholder/insured and insurer will be avoided and the insurance peace will return to the market.
AUTHOR: Ian Pérez López. Lawyer. Insurance Law Department, BELZUZ ABOGADOS, S.L.P.
Cyber-risk and cyber-insurance (I): Cyber-risk and cyber-insurance in Spain: the necessary uncertainty.