Imagine it: 7,500 servers, 30,000 computers, $870 million in damages, and $1.3 billion lawsuit. These numbers are just a fraction of the destruction caused by the NotPetya cyber attack in 2017. In fact, these are damages in just one company—Merck & Co.
This widespread cyber attack caused massive damages and huge losses in government agencies, private institutions, and various industries across the globe. Aside from that, it has resulted in losses and uncertainty in the insurance industry.
This “silent cyber” uncertainty is one that has forced both insurance carriers and buyers to take extra precautions regarding their portfolio of insurance policies. But what exactly is silent cyber? And how is it affecting the coverage afforded to companies throughout their insurance portfolio, especially in the coming year?
The Looming Threat of Silent Cyber
Silent cyber risks refer to cyber-related losses that can be incurred via traditional property and liability policies that do not specifically cover damages caused by cyber attacks. The policies do not reference cyber risk in any way—either affirming or excluding coverage—thus remain “silent” as to the exposure.
Since such traditional policies do not implicitly or explicitly cover the risk of exposure caused by cyber attacks, insurers may end up paying for losses incurred through such a method.
One example of a particularly devastating instance of silent cyber happened in 2017 when pharmaceutical giant Merck & Co. became a victim of a cyber attack launched by the Russian GRU. The NotPetya malware was originally intended to attack Ukrainian cybersecurity as the two countries were at war, but NotPetya eventually spread and affected Merck’s systems.
This malicious line of code inadvertently caused the entirety of Merck’s production to grind to a halt, causing the company to lose an initial estimate of $870 million by the end of 2017. While Merck was able to collect on its cyber liability policy, the limits were not adequate to cover all of the losses.
Merck also submitted the loss to its property liability tower, and when the claim was denied, it proceeded to sue its property insurers for breach of contract, claiming a total of $1.3 billion in losses.
NotPetya also caused losses for other multinational companies like FedEx, Maersk, and Mondelēz, creating an even larger cause for concern among traditional insurance carriers.
The Problem with Relying on Traditional Insurance
Prior to 2017, no one anticipated that malware could cause such debilitating effects, least of all underwriters. Sure, traditional property insurance underwriters had been talking about cyber risks, and occasionally even included some vague language into policies that provided some limited coverage for the effects of a cyber attack.
But if you were to ask a property underwriter a few years ago where cyber risk ranked on their list of most concerning loss types, it likely would have ranked pretty low. Many just couldn’t anticipate the destruction a powerful cyber attack would cause. And if you asked property underwriters a few years ago how much of their pricing was attributed to the threat of cyber losses, many might have said none.
When you’ve got a truly catastrophic risk, which isn’t fully appreciated and certainly not priced appropriately, what happens when the unforeseen claim is submitted? Unfortunately, a declination letter provides the answer for insurance carriers followed by a bad-faith lawsuit from the insurance buyer.
What Does This Mean for Insurance Holders?
As the old insurance saying goes, “silence is coverage.” Typically, ambiguity in an insurance policy is viewed in favor of the insurance buyer, as the carrier is the author of the insurance contract wording and thus responsible for clarity of coverage.
In a case regarding ambiguity of language around cyber risk, one company in Maryland recently found that ambiguity in its business owners’ insurance policy (BOP) worked in its favor to cover the effects of a ransomware event.
National Ink & Stitch, LLC suffered a ransomware attack in December 2016, which caused $310,000 of damage to both the data and software it stored electronically, as well as the physical hardware. It had a small BOP policy that provided coverage for “direct physical loss of or damage to” property, including an endorsement which expanded the definition of property to include “electronic media and records.”
However, when it submitted its claim, State Auto Property & Casualty Company declined the claim citing a lack of direct physical loss or damage.
Ultimately, National Ink & Stitch sued the insurance company. In January 2020, more than three years after the cyber incident occurred, a judge ruled in its favor to be reimbursed for the loss it experienced in 2016.
Silent No More
The NotPetya cyber attack brought the threat of silent cyber to the forefront of industry minds, and the recent decision in National Ink & Stitch vs. State Auto Property and Casualty Insurance Company has further caught the attention of major players in the insurance industry.
AIG has released a statement regarding the silent cyber threat, saying it will begin to account for silent cyber by affirmatively covering or excluding cyber risk in “virtually all” of its commercial property or casualty policies by 2020.
Meanwhile, Lloyd’s of London has begun to mandate to all syndicates at Lloyd’s that all policies clearly state if they include affirmative coverage for cyber risks to avoid any silent cyber complications.
Indeed, the future of cyber risk in the insurance industry is not silent. Changes will be applied to existing traditional insurance policies, such as property or casualty policies, throughout 2020. As the ambiguity of silent cyber in traditional policies lessens, buyers of insurance should look to a dedicated cyber insurance policy to transfer their cyber risk. To learn more, read our Cyber Liability Insurance Buying Guide.
In fact, both the Merck and National Ink & Stitch cases make clear the value of and need for a dedicated cyber insurance policy. Merck did collect from its cyber insurance carriers. And while National Ink & Stitch ultimately collected under a BOP policy, it had to take its insurance carrier to court to do so—nearly three years after it experienced its loss.
Had it invested in a dedicated cyber insurance policy, it likely would have paid out the ransomware loss—including the IT forensics costs, ransomware payment, and potentially the replacement cost of physical devices that were “bricked”—much sooner and saved them the efforts of going to court. You can learn more about this in our Cyber Basics insight, Cyber Insurance 101: What Does Cyber Insurance Cover?
As the insurance market moves toward explicitly stating its intent on cyber risk, buyers are increasingly finding value in a dedicated cyber insurance policy.