Insurance for cyberattacks has been a booming business, but Russia’s invasion of Ukraine has insurers sweating about the possibility of big losses. They are rushing to plug a possible loophole that leaves them vulnerable.
Sales of cyber insurance more than doubled last year to about $15 billion as companies sought to protect themselves from the costs of ransomware and computer viruses that could cripple their operations.
Like most insurance policies, these have exclusions for acts of war. The aim is to protect insurers from claims tied to cyberattacks by governments, their militaries or groups that work for them.
But a judge in New Jersey poked a hole in that exclusion last year in a ruling that essentially said a common acts-of-war exclusion doesn’t cover cyberattacks. Now, insurers are exploring ways to toughen up that language in future contracts, amid concerns that they could get hit by cyberattack claims under existing policies stemming from Russia’s invasion.
Fitch Ratings cautioned in a March 1 note that the invasion of Ukraine “has increased the risk of cyberattacks and potential claim costs” for insurers that may “further test the effectiveness of ‘war exclusion’ and ‘hostile act exclusion’ language,” already under scrutiny since the ruling.
So far there have been no major cyberattacks in the war. But the Kremlin has the wherewithal to launch them, while vigilante hackers on both sides of the conflict have added confusion to the digital front.
In the New Jersey case, drugmaker Merck & Co. alleged it suffered $1.4 billion in losses from a 2017 cyberattack. Its nearly three dozen property insurers rejected Merck’s claim, citing war exclusions. The incident stemmed from a cyberattack known as NotPetya, which targeted a Ukrainian accounting firm and jumped indiscriminately to other organizations’ computer networks around the world. The White House attributed the incident to Russian military hackers, calling it the most costly and destructive cyberattack ever.
In ruling against the insurers, the judge said that their exclusions addressed war and hostile acts, but not cyberattacks—though such attacks had been rising for years.
“Merck had every right to anticipate that the exclusions applied only to traditional forms of warfare,” the judge wrote.
Some insurers have settled with Merck and others have appealed the ruling.
Insurers are going down two paths to protect themselves from wartime cyberattacks. In their appeal, trade group American Property Casualty Insurance Association said the ruling “undermines the insurance market’s ability to underwrite cyber risk” by burdening insurers with “far-reaching liability from hostile nation-state cyberattacks they never accepted.”
With the risk higher, insurers are being more selective than ever about the clients they will take on or renew, looking for robust network security. “It’s a very onerous process for an insured today to buy cyber insurance,” said Henry Clark, head of professional and executive risks at Australian broker Honan Insurance Group.
The second path is an effort by some in the insurance industry to reword the longstanding war exclusions. But they need to be careful because if they are too broad, businesses won’t buy the coverage.
Lloyd’s Market Association, a trade group, in November proposed new wording, but very few Lloyd’s syndicates have adopted it to date, said Thomas Reagan, cyber practice leader at the Marsh brokerage unit of Marsh McLennan Cos. Brokers and policyholders are concerned about “excessively broad and unacceptably ambiguous exclusions,” he said.
Representatives for the association and Lloyd’s didn’t respond to emails seeking comment on the wording.
Cyber insurance can be a stand-alone policy or part of a wider coverage package, addressing such things as costs to fix a breach, restore data, notify customers and monitor their credit. Terms can vary widely. Chubb Ltd., American International Group Inc., and Travelers Cos. are among the biggest sellers by market share. They declined to comment.
The cyber product hasn’t been as profitable as it used to be due to growing ransomware attacks, prompting recent rate increases to address the higher costs. Premiums rose by an average of 130% in the U.S. and 92% in the U.K. in the fourth quarter from the year-earlier period, according to Marsh.
Combined with more policy restrictions, companies “might be paying multiples more for the coverage they received two or three years ago, if they can find that coverage at all,” said Mark Dwelle, an analyst at RBC Capital Markets.