The possible widescale impact of the Russia-Ukrainian War on cyber policies was explored in a previous Cyber Bulletin. However, how a “War” exclusion may interpret the peril of cyber has some history. A Merck case saw physical damage and interruption from a cyber event amounting to nearly $2 Billion in 2017. How this unfolded provides insight into how courts are interpreting policies and how markets are responding to address ambiguity leading to unintended coverage.
Why is this worth evaluation? Consider the NotPetya ransomware attack on Ukraine by the Russian stated sponsored group, Sandstorm. NotPetya exploited a popular software called MeDoc – Ukraine’s equivalent to TurboTax – as a Trojan Horse and gained undetected access to its customers.
Why does this matter and how does this inform us on cyber as a peril? Merck used MeDoc in the EU, and they were not alone. Other industry giants including an ocean cargo company headquartered in Copenhagen, a food company from Chicago, a consumer goods dealer from England and a shipping magnet from Tennessee.
The attack was so reckless NotPetya ended up infecting Russian companies, including its state oil giant, Rosneft. Total global losses from NotPetya are estimated at $10 Billion, but that figure could be well below the actual devastation caused.
While cyber is not a new coverage, it is far from mature. In the aftermath of NotPetya, the New Jersey Superior Court sided with Merck regarding interpretation of their property policy’s war exclusion. This resulted in a $1.4 Billion award. Since NotPetya, most insurers have made coverage amendments to control or eliminate cyber coverage in the Property policies, as well as many other policies.
Lessons Learned
For more information on how to ensure you are properly covered in the event of a cyber incident, please contact your Conner Strong & Buckelew account representative.
Partner, Senior Account Executive, Underwriting Manager Public Entity Practice
Senior Vice President, Senior Account Executive, Risk Management Enterprise