The recent ruling by the New Jersey Superior Court that Chubb and other insurers need to pay pharmaceutical giant Merck $1.4bn for cyber losses incurred in the 2017 NotPetya attack will make it even more difficult for risk managers to find broad-based cyber cover added to their all-risks property policies.
Chubb argued that the cover was invalidated because NotPetya represented an act of war as it was supposedly instigated by the Russian government against the Ukraine before it spread worldwide.
This attack was one of the main events that persuaded insurers and reinsurers to tackle the so-called ‘silent cyber’ problem. Carriers had offered broad-based coverage to win new business, only to subsequently realise it carried huge potential for systemic losses.
Risk managers around the world have been facing up to more exclusions in their cyber cover, alongside plummeting capacity and spiralling prices, in recent renewals as a result.
The New Jersey court basically ruled that the market-wide move to tackle silent cyber came too late to be applied to the NotPetya incident, and ordered Chubb and the other defendant insurers to pay up. A number of other leading insurers including Allianz had already settled.
Judge Thomas J Walsh found that Merck and its captive insurer are entitled to summary judgment that the ‘hostile or warlike acts’ exclusion is not applicable.
He said the insurers “did nothing to change the language of the exemption to put this insured on notice that it intended to exclude cyberattacks”, according to the AM Best newswire.
It is thought that some 40,000 computers were affected, resulting in more than $1.4bn in losses for Merck. The pharma group and its captive insurer International Indemnity argued they had bought $1.75bn in property insurance to protect against this type of loss.
The ruling said the broad-based all-risks policies did provide coverage for loss or damage resulting from destruction or corruption of computer data and software.
The defendant insurers argued that the policy contained an applicable exclusion because the source of the malware “was an instrument of the Russian Federation as part of its ongoing hostilities against the nation of Ukraine”, reported AM Best.
Merck argued the NotPetya attack was, however, not a state action but a form of ransomware. Even if the attack was instigated by Russia, the exclusion would not apply, the ruling agreed.