...in a case which also shines a light on the industry’s so-called legacy “silent” cyber exposures.
Late last week, a New Jersey state court ruled Merck’s property insurers could not rely on a standard ISO war exclusion clause to exclude damage from the 2017 NotPetya cyber attack, which caused ~$1bn of physical and business interruption losses to the pharmaceutical firm after infecting its computer systems.
The infamous NotPetya virus was one of the most damaging cyber attacks when judged by the scale of its impact. Emerging in Ukraine, Russia was widely accused of orchestrating the attack although it has not admitted responsibility.
Merck estimated the attack had cost it – and its captive insurer International Indemnity – circa $1bn of losses and claimed on its $1.3bn+ global property program led by subsidiaries of Chubb.
While a small number of insurers on the program settled in the intervening years – including Munich Re, CNA Hardy Syndicate 382, Allianz and Mitsui Sumitomo – most carriers aligned with Chubb and disputed coverage, relying on a war exclusion clause.
Lloyd’s syndicates involved included: Atrium 609, Argo 1200, Axis 1686, QBE 1886 and 5555, CV Starr 1919, Barbican (Arch) 1955, XL Catlin 2003, Canopius 4444, Liberty Mutual 4472 and Lloyd’s consortium 9536.
However, the New Jersey court ruled last week that even assuming the attack could be considered a cyber “hostile act” the exclusion did not apply to cyber events.
“It is also self-evident, of course, that both parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation-states have become more common.
“Despite this, insurers did nothing to change the language of the exemption [sic] to reasonably put this insured on notice that it intended to exclude cyber attacks. Clearly they had the ability to do so. Having failed to change the policy language Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare,” ruled the court.
The dispute also highlighted that only a few insurers – such as XL – had imposed wordings in their property coverage which sub-limited exposures for cyber.
Silent cyber is the term coined in the industry for its inadvertent coverage given to potential cyber loss in property programs because of a failure to add exclusionary wordings and despite not explicitly charging an additional premium for the cover.
Since the NotPetya attack, the “affirmative” cyber insurance sector has grown to a $7bn+ global market.
NotPetya has been previously pegged by PCS as the industry’s worst cyber loss, with estimated losses in the region of $3bn.
In addition to its large property claim, Merck is understood to have separately claimed on its AIG-led $275mn affirmative cyber program.
Merck and its captive initially sued 33 insurers and reinsurers in August 2018 (see table) for denying coverage relating to damages from the June 2017 NotPetya attack.
In the years since the attack, (re)insurers have amended their wordings in property and all-risk cat programs to specifically exclude or sub-limit cyber exposures.
At time of going to press, it is unclear whether insurers were considering appealing the decision.
The Insurer comment
The judgment may of course be appealed. In the meantime, however, it is a (very expensive) reminder of why the industry was correct to tackle the so-called silent cyber phenomenon…
For continued access to market leading content click here to enquire about a subscription to The Insurer - your company may already have a corporate subscription in place...
Scan here to download the app