Skip to Content

Cyber Attacks Won’t Be insurable, According to Zurich Chief Executive

Cyber attacks have been a growing issue for insurance companies. As a result of the rising numbers, many insurers have been limiting their exposure to the risk, which has driven up the prices. Insurers also claim not to be liable for hacks carried out by “state actors” or foreign governments. Nevertheless, no consensus has yet emerged on how to define cyberwar, or what constitutes an attack.

One of the most significant attacks in recent history, the NotPetya cyberstrike, was carried out by a nation-state, causing widespread disruptions throughout Ukraine and threatening to spread to the UK and other countries. The attack crippled networks in Ukraine, including the country’s tax software maker and the Danish shipping conglomerate Maersk. At the same time, the Russian military intelligence agency allegedly launched the attack.

Several hundred of the companies affected by the NotPetya cyberstrike sued insurers. While the case is still ongoing in Illinois Circuit Court for Cook County, the results of the lawsuit could have ripple effects on the insurance industry as a whole.

Many insurers have cited “war exclusions” in their policies, which exclude coverage from any costs incurred by an insurer due to war-related expenses. However, in many cases, these exclusions are limited, and they do not apply to the cyberstrike.

Specifically, insurers have argued that the United States government did not sponsor the NotPetya attack, which was carried out by the Russian military intelligence agency. This alleged state sponsorship of the cyberstrike ties to an ongoing conflict with the Ukrainian government, and has prompted a number of policy-related discussions.

When the NotPetya attack was launched, several of Merck’s insurers, including Zurich, sought to limit their liability by citing a war exemption clause. But the insurers were denied because the war exclusion language applies to all forms of armed conflict.

It took a few weeks for Mondelez to recover from the attack, but the company had a financial hit of over $100 million. And the company’s employees lost access to their corporate network. All of this put a strain on the business, with a number of employees unable to work.

Ultimately, the company settled with its insurers. But the case will be a reminder to insurers of the need to include cyber exclusions in their policies.

Some of the insurers involved in the case, such as Aetna and Lloyd’s of London, have defended their move by saying that it is necessary to keep systemic risks from cyberattacks under control. Nevertheless, the case raises a question: will such an exception make cyberattacks uninsurable?

While the answer may vary, the issue is important to policyholders because it will add another layer of uncertainty to the insurance conversation. Insurers will have to justify why they have decided to decline claims, and they can be vulnerable to litigation if they refuse to provide an adequate explanation. Moreover, it may take years for the case to be resolved, which makes the conversation more urgent.

Cyberattacks will continue to be a concern for businesses, and insurance companies will have to find a way to protect their customers from the risk. Those companies that do not have adequate cyber defenses will face a more difficult time obtaining coverage, and the cost of cyber insurance will increase.

Leave a comment

Your email address will not be published. Required fields are marked *