Cyber-attacks are becoming “uninsurable” due to their increasing disruption, Mario Greco, the CEO of insurer Zurich, told the Financial Times. A closer look at the Cyber Insurance events that unfurled in the past twelve months shows that Zurich is not the first insurer to adopt that stand. And certainly, not the last.

Insurance executives have been increasingly concerned about risks such as pandemics and climate change, which have caused natural catastrophe-related claims to be expected to surpass $100 billion for the second year in a row.

However, Greco argued that the bigger risk to watch is cyber-attacks, which have the potential to disrupt vital infrastructure and disrupt society.

Russia, Ukraine, and the cybersecurity landscape

In recent years, rising cyber losses have led insurers to take emergency measures, such as raising prices and altering policies to have clients retain more losses, in order to limit their exposure.

Zurich American Insurance last month settled with Cadbury’s owner Mondelez International over the insurer’s refusal to cover the US-based company’s $100-million-plus loss following the 2017 NotPetya outbreak. German pharmaceutical business Merck in January won a lawsuit the company filed against its insurer, Ace American, which declined to cover the losses caused by the NotPetya ransomware attack.

While Merck was hailed as a landmark case, Mondelez is likely to become the last of the million-dollar Cyber Insurance lawsuits. In between these two verdicts, a major event happened that changed the landscape of cyber insurance: the Russian invasion of Ukraine.

Merck and NotPetya

Data on more than 40,000 Merck systems was lost as a result of the NotPetya event, which occurred in June 2017 and affected hundreds of businesses worldwide. Merck assessed the loss at $1.4 billion, which included a loss from lost production, expenses for hiring IT specialists, and expenses for purchasing new equipment to replace all impacted systems.

A $1.75 billion “all-risk” insurance policy that included software-related data loss incidents was in place at the time for the corporation. However, insurer Ace American argued that the NotPetya assault was a component of Russian hostilities against Ukraine and, as such, was covered by the typical “Acts of War” exclusion provision that is contained in most insurance contracts.

Merck sued Ace American in November 2019, claiming that the Acts of War clause should not apply since the attack was not “an official state action”. The exclusion provision, according to Merck’s legal team, should not apply to their client since it contained language that restricted the Acts of War to legitimate government organisations and did not expressly identify cyber-related incidents.

The Wired magazine, which analysed the malware and its path in detail, declared that “​​the release of NotPetya was an act of cyberwar by almost any definition,” adding fuel to the insurer’s claim.

Judge Thomas J. Walsh of the New Jersey Superior Court ruled on January 13 that Merck’s insurers cannot rely on the war exclusion since its language is intended to apply to armed conflict. Despite a pattern of assaults by nations like Russia against private sector corporations, the ruling observed that insurers didn’t amend the war wording to “put on notice” companies like Merck that cyberattacks wouldn’t be covered.

Meanwhile, in Ukraine

Two months later, Russia invaded Ukraine. In the first global conflict where the internet became a battleground, Russia intensified its long-standing campaign of cyberattacks against Ukraine to unforeseen levels. In retaliation, the West and an army of volunteers boosted the Ukrainian cyberattack capabilities.

Russian state-sponsored threat groups began to target the critical infrastructure of Ukraine’s allies. Take the case of Italy. While cyberattacks were common in that country, the scores were nowhere near that of the US or its European peers Germany and the UK. The numbers spiked after Italy extended its support to Ukraine in the ongoing war against Russia.

“The ever-increasing threat landscape due to the Russia-Ukraine conflict has fundamentally transformed the attack surface due to frequently disclosed vulnerabilities and exposures. Meanwhile, the increasing complexity of tools and techniques adopted by the threat actors has revealed the gaps in the cybersecurity infrastructure of Italian organizations and entities,” said a Cyble advisory about cyber-attacks on Italy.

Italy’s foreign minister disclosed in September that the cyber-attacks on western European companies, and Italy in particular, have risen following the Russian invasion of Ukraine. The statement came after state-sponsored hackers started targeting energy companies in Italy that month.

Attacks mounted, and so did the moves to claim insurance for cyberattacks. Insurers, on the other hand, began preparation to minimise cyber insurance coverage.

Insurance and hospital gowns…

What’s common in insurance and hospital gowns? They never cover you fully! This business joke is a harsh reality when it comes to cyber insurance. In August, Lloyd’s of London announced that all standalone cyber insurance policies underwritten by members of Lloyd’s marketplace from March 2023, “must exclude liability for losses arising from any state-backed cyberattack”.

Cyberattack coverage “if not managed properly… has the potential to expose the market to systemic risks that syndicates could struggle to manage,” the corporate body told its members.

Lloyd’s of London, generally known simply as Lloyd’s, is an insurance and reinsurance market located in London, England. Unlike most of its competitors in the industry, it is not an insurance company; rather, Lloyd’s is a corporate umbrella body of insurers.

Lloyds members are spread across 50 leading insurance companies, over 350 registered brokers and a global network of over 4,000 cover holder offices. They pay out close to £60,000 in claims per minute.

On the other hand, attack surface was growing as global organizations rolled out more applications, wrote more code, hired more remote workers, and connected more physical systems to networks.

Warren Buffett was the first business leader to warn about the potential, big-ticket harm for the insurance industry.

“Cyber is uncharted territory. It’s going to get worse, not better,” he said at the Berkshire Hathaway 2018 Annual Shareholders Meeting. “There’s a very material risk which didn’t exist 10 or 15 years ago and will be much more intense as the years go along.”

Buffett stated that he doesn’t want Berkshire’s insurance operations to have a lot of underwriting exposure to cybersecurity issues. He pointed out that while the corporation does a “pretty good idea” of estimating the likelihood of earthquakes in California and hurricanes in Florida, it does not do so for dangers from computer hacking. No insurance provider can evaluate the risk of cybersecurity-related incidents accurately, he added.

With the unprecedented hike in cyberattacks post COVID, the risk for insurers was becoming larger.

Mondelez and NotPetya

Meanwhile, the Mondelez lawsuit was going on in the US. The global food and confectionery business sued Zurich insurance in 2018 after it refused to cover the NotPetya damages. By then, governments including the US, the UK, Canada, and Australia had issued coordinated statements attributing NotPetya to the Russian government.

“It was perhaps the most extensively and authoritatively attributed cyberattack ever, especially in the context of breaches which often give rise to disagreements about attribution and how definitively it can be performed,” said an analysis of the Mondelez case by The Brookings Institution, a US-based non-profit public policy organization.

However, the general consensus was that most cyber intrusions and breaches are perpetrated by governments, and if all of those are viewed as being beyond the purview of cyber insurance coverage then cyber insurance could become largely useless for many policyholders dealing with a wide range of incidents from espionage to ransomware.

“If Mondelez wins that means insurers will either have to cover a much broader range of cyberattacks or rewrite their coverage to exclude new categories of damages that go beyond warlike actions,” the Broking report continued.

“On the other hand, if Zurich wins the case, then policyholders may decide that there’s little point in purchasing cyber insurance, forcing insurers to craft new language for their policies to reassure customers that at least some government-sponsored cyberattacks will still be covered.”

Mondelez argued vigorously that its cybersecurity policy covered all sorts of events. NotPetya damaged 1,700 of its servers and 24,000 laptops, leaving staff unable to use systems, applications, and data.

“As a result of the damage caused both to its hardware and operational software systems, MDLZ incurred property damage, commercial supply and distribution disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000,” according to court documents filed by Mondelez.

Is there no respite?

When insurance businesses started offering cybersecurity coverage, the scale of damage perceived was negligible and the premiums were cheap. NotPetya was an eye-opener, and the Russian invasion gave a taste of what cyberwarfare can cause.

If global cyber insurers follow Lloyd’s nation-state exclusion’s governments will have to step in and offer some kind of cyber insurance scheme. There is also a possibility of mass consumer movement which might bring changes to insurance policies and cyber attribution.

The US Treasury published a request for comment on questions related to cyber insurance and cyber incidents. “Cyber insurance is a significant risk-transfer mechanism, and the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency,” said the announcement.

The fact remains that even the governing bodies fall under huge cyber risks. The Cyber Express found out in November that the Insurance Regulatory Authority of India (IRDAI) faced a ransomware attack, in which crucial data of insurance companies were accessed by threat actors.

It is a given that there will be at least one catastrophic cyber incident that would cause insurance firms to go bankrupt. Perhaps before that, either a government reform or a consumer revolt will happen.