Insurance policies

Cyber ​​insurance policies could be tested by Russian attacks, rating firm warns

Credit ratings giant Fitch said on Tuesday that cyberattacks linked to Russia’s invasion of Ukraine could be a test for language commonly used in cyber insurance policies that excludes damage caused by acts of war.

The language of “war exclusion” and “hostile act exclusion” has become a hotly debated topic in the cyber insurance world over the past few years. The clauses have a long history in the fields of property, life and other types of coverage, and aim to prevent insurance companies from being liable for events they could not afford to pay for. . But cyberattacks — which can be difficult to attribute and are used more liberally than rocket fire and other traditional weapons — present many gray areas.

NotPetya, a 2017 wiper attack that caused billions of dollars in damage and has been linked to Russian hackers, has prompted many insurers to clarify their language about what is covered and what isn’t. is not. Last December, a New Jersey court ruled in favor of pharmaceutical company Merck in a lawsuit against its insurer, which refused to cover $1.4 billion in losses caused by NotPetya. In this case, Merck had a $1.75 billion “all risk” insurance policy that covered software-related data loss events, but its insurer refused to cover the loss, arguing that the attack was an act of war.

The New Jersey Superior Court sided with Merck, which argued that the language of the clause limited the exclusions to acts of official government agencies and did not specifically mention cybersecurity-related events.

Although Fitch said the lawsuit and pressure from regulators has caused a shift in the language of exclusion from war – which could potentially mitigate the losses of the current conflict – an increase in nation-state cyberattackers could be a test. for many policies.

“The proliferation of potential cyberattacks from well-organized, state-sponsored hackers is high given the current conflict,” Fitch said.

Adam is the founding editor of The Record by Recorded Future. He was previously a cybersecurity and privacy reporter for Protocol, and before that, he covered cybersecurity, AI, and other emerging technologies for the Wall Street Journal.