The Russian invasion of Ukraine has increased the risk of cyber attacks and potential claim costs for property/casualty insurers globally that offer cyber coverage, the majority of which is underwritten in North America. Such attacks may also further test the effectiveness of “war exclusion” and “hostile act exclusion” language, which has come under greater scrutiny following a recent court ruling that found an insurer liable for losses stemming from the 2017 NotPetya malware attack.
Nonetheless, larger insurers have taken significant pricing and underwriting actions in response to rising cyber claims in recent years, including tightened contract language, which should help mitigate underwriting losses in the current uncertain environment, Fitch Ratings says.
The NotPetya malware attack was largely attributed to Russian-linked hackers, with short- and long-term spillover effects and billions of dollars in losses for global firms. Merck suffered notable losses of $1.4 billion; however, the claim was denied citing the policy’s “all risk” language. Cyber policies for U.S. P/C insurers have typically included “war exclusion” or “hostile act exclusion” language, similar to P/C exclusionary language found in other property lines of business, stipulating that insurers cannot defend against acts of war.
However, a recent ruling in New Jersey by a Union County State Superior Court judge concluded that Merck was entitled to summary judgment because the war exclusion language was not applicable. The ruling indicated that the contract language of the insurance policy had been virtually unchanged for many years despite the evolving and increasingly common threat of cyber attacks, which can emanate from not only nation states but also covert, nefarious private sources.
RELATED STORY: Court Siding With Merck Over War Exclusion for Cyber Attack a Warning to Insurers
Compounding the problem is the inability to properly identify the perpetrator of an attack as cyber criminals have expertise in concealing their identities. Often early indications of attack origins are false flags. Digital forensics can take years to complete and still remain ambiguous.
The court ruled that because the insurer failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare. The insurer was at fault for failing to change the language or to notify the insured party that losses from cyber attacks were not covered.
Due to rising cyber-related claims, the recent ruling and pressure from the Prudential Regulatory Authority, insurers started to clarify cyber policy language further in 2019 for “silent cyber” coverage where the policy does not explicitly include or exclude cyber risk within a policy. Firms have addressed silent cyber issues by adopting language that specifically excludes or affirms coverage, or by adopting coverage sublimits, which reduces the benefits of the policies. Growth in standalone coverage will continue to be fueled by policyholder and insurer interest in reducing coverage ambiguity.
The proliferation of potential cyber attacks from well-organized, state-sponsored hackers is elevated given the current conflict. Other P/C lines that may be affected include political risk and trade credit, property, marine, cargo and aviation.
Increased ransomware events have caused elevated losses; cyber insurance companies have responded by increasing premiums and have required better cyber hygiene requirements for policyholders such as multifactor authentication. This should help mitigate potential losses from the current conflict, but cyber insurance will have to evolve in kind to keep pace with the drivers of losses.
Continued growth in cyber intrusions and ransomware events may pressure the long-term profitability of the cyber insurance market and insurers’ internal management of cyber threats. However, negative rating actions tied to cyber underwriting losses remain unlikely. Cyber premiums represent less than 5 percent of most companies’ business mix, with market share held by larger, well-capitalized insurers that cede material portions of the business to reinsurers.
Source: Fitch Ratings