Cyber insurers have more pressure on them as the risk of cyberattacks increases because of Russia's invasion of Ukraine. The proliferation of these attacks is elevated due to the current conflict, according to a new report. (AP Photo/Mindaugas Kulbis)
That may place even more pressure on cyber insurers that have scrambled in recent years to change their approach to coverage to keep up with the increasing pace of ransomware claims from policyholders.
Insurers have responded to this new environment both by relying on existing policy exclusions and by changing the ways they price and write policies. Both of those strategies may be put to the test as a result of Russia's invasion of Ukraine, the Fitch report predicts.
The potential attacks may "further test the effectiveness of 'war exclusion' and 'hostile act exclusion' language, which has come under greater scrutiny following a recent court ruling that found an insurer liable for losses stemming from the 2017 NotPetya malware attack," the Fitch report warned.
In January, New Jersey Superior Court Judge Thomas J. Walsh ruled that Merck & Co.'s many property insurers couldn't rely on a war-related exclusion to bar the pharma giant's claims for $1.4 billion in losses stemming from the NotPetya attack.
Judge Walsh found that a war exclusion in Merck's policy precluded coverage only for a physical act of warfare and not a malware hack. The potentially broad ruling sent shock waves through the industry, calling into question whether insurers will be able to rely on exclusions for war or hostile acts — a common feature of many policies — to fend off policyholders' claims for cyber coverage, experts have told Law360.
In another high-profile case related to the NotPetya attack, Zurich American Insurance Co. has said it doesn't have to cover Mondelez for $100 million the snack food giant lost in the attack, basing its denial on a policy exclusion for losses or damage resulting directly or indirectly from "a hostile or warlike action in time of peace or war" carried out by a government, sovereign power or military force.
Mondelez has called Zurich's argument "unprecedented," saying that similar war-type exclusions have never been applied to anything other than conventional armed conflicts and so shouldn't be applicable to cybercrimes.
That case is currently pending in Illinois' Cook County Circuit Court. Experts have told Law360 that the court's ruling will likely have a major impact on whether insurers can expect to rely on war-type exclusions to avoid cyber coverage.
However, the current state of heightened alertness surrounding the possibility of Russian cyber interference could play into insurers' hands as the Ukraine conflict plays out across the globe.
The Cybersecurity and Infrastructure Security Agency recently warned American organizations of possible Russian cyberattacks, and other agencies have since issued similar guidance.
"When we live in an environment where the U.S. government is warning companies so specifically about Russian threats, I think that any threat that looks a little bit like what they published is going to be attributed to the Russians by default," Aaron Charfoos, a partner in the data privacy and cybersecurity practice at Paul Hastings LLP, told Law360.
"I do think that makes it easier for the insurers under those circumstances to try to argue that [cyberattacks] are excluded by the war exclusion," Charfoos said.
Still, with questions surrounding the applicability of those existing exclusions, insurers in recent years have taken steps to rework policy language to specifically account for the growing threat of cybercrime.
In a report published last month, Charfoos and Thomas L. Darby of Paul Hastings noted that Lloyd's of London recently published guidance stating that its policies would exclude most or all losses caused by "cyber war." The insurer defined that term broadly to include all cyberattacks that target critical infrastructure, the attorneys noted.
Since 2019, insurers have also started to clarify policy language to account for "silent cyber" coverage, or instances in which a policy does not explicitly mention cyber risk, according to the Fitch report.
"Firms have addressed silent cyber issues by adopting language that specifically excludes or affirms coverage, or by adopting coverage sublimits, which reduces the benefits of the policies," the Fitch report said. "Growth in standalone coverage will continue to be fueled by policyholder and insurer interest in reducing coverage ambiguity."
Additionally, insurers have "taken significant pricing and underwriting actions," the Fitch report noted. Those include increasing premiums and requiring better "cyber hygiene" requirements for companies, including multifactor authentication.
Those efforts "should help mitigate underwriting losses in the current uncertain environment," according to the report.
Still, cyberinsurance "will have to evolve in kind to keep pace with the drivers of losses," the report warned.
Overall, cyberinsurance still represents a relatively small piece of the pie for large insurers. That should help mitigate potential losses.
"Continued growth in cyber intrusions and ransomware events may pressure the long-term profitability of the cyber insurance market and insurers' internal management of cyber threats. However, negative rating actions tied to cyber underwriting losses remain unlikely," the Fitch report concluded.
"Cyber premiums represent less than 5% of most companies' business mix, with market share held by larger, well-capitalized insurers that cede material portions of the business to reinsurers."
— Additional reporting by Daphne Zhang and Jeff Sistrunk. Editing by Leah Bennett.
For a reprint of this article, please contact reprints@law360.com.