Rise in Cyber Related Claims Has Insurers on High Alert
The conflict between Russia and Ukraine could increase cyber-related insurance and reinsurance claims within Europe and North America, according to recent reporting. A note from global credit ratings business DBRS Morningstar says there could be a rise in “cyber-related claims, despite war exclusions, due to the difficulty in attributing attacks.”
DBRS Morningstar wrote: “Although acts of war (declared or not) are typically excluded from cyber insurance policies, in DBRS Morningstar’s view, the current conflict could potentially increase cyber-related insurance and reinsurance claims in Europe and North America, as attribution can be very difficult to determine in cyber incidents. To deny a cyber-related claim in this context, insurance, and reinsurance companies will need to demonstrate beyond reasonable doubt that the claim in question is not related to a state-sponsored attack or performed by a group acting as a proxy of a belligerent government.”
This will lead to an expected increase in litigation costs, says DBRS Morningstar, for the insurance industry as policyholders resort to taking claims to court.
The authors wrote: “Most property and casualty insurance products specifically exclude war, or only cover it in a very limited set of circumstances. Cyber insurance policies typically follow the same approach and do not cover cyber losses resulting from war or hostile acts. In practice, attributing cyberattacks to state actors, or their proxies, has proven to be extremely challenging because cyber warfare operations are typically not publicly acknowledged by the aggressor. Even in cases where a state actor can be strongly suspected of having caused a cyber incident, legal courts might not side with insurers, particularly if existing policy language is subject to interpretation.”
Pharma company Merck recently sued over war exclusion language in its insurance contract. DBRS Morningstar wrote: “[…] the New Jersey Superior Court ruled in favour of Merck & Co., Inc. (Merck), the U.S. pharmaceutical giant, which suffered losses of $1.4 billion in a NotPetya malware attack in 2017. At that time, the insurance claim was denied based on a war exclusion clause in Merck’s policy. However, the New Jersey Superior Court decided that the war exclusion language was not applicable in this case as it could be interpreted to apply to ‘traditional’ or ‘kinetic’ war.”
It added: “A number of denied claims from the NotPetya attack are still going through courts to decide whether the suspected Russian cyberattack is covered or not based on the war exclusion clause.”
The role of war exclusion wordings around cyber-attacks is an increasingly important exposure not just for corporate entities but also for the very entities that insure them. Fitch Ratings said last week that these wordings would be tested by Russian cyberattacks, while CyberCube has advised portfolios to stress their portfolios if they contain a lot of eastern European business. AM Best has even said recently that there is likely to be a ‘substantial impact’ on the world’s insurance industry around the potential for cyberattacks.