The Russia-Ukraine war has spiked cybersecurity concerns. As companies internally question digital defense adequacy, insurance provides a popular mitigation fallback against breach-related losses. Yet, surprising to many policyholders, a recent court ruling may soon undercut wartime cyber claims.

In January 2022, Merck won a $1.4 billion judgment against Ace Insurance related to a 2017 NotPetya malware attack which damaged 40,000 company computers. Ace denied Merck’s claim on the basis that ransomware was excluded under rarely-invoked “act of war” exemptions. The court ruled against Ace, prompting prominent insurers to swiftly revise policy coverage terms related to cyber losses.

Narrowed coverage with escalated cyber risk increases financial exposure — that rarely sits well with boards. Such rising liability demands that CIOs, CFOs and legal counsel scrutinize cyberinsurance — or chance far less coverage than expected.

Risk shift

Malware, such as NotPetya, often reaches far beyond intended targets. When cyber victims seek compensation, it’s often nearly impossible to identify and sue perpetrators. That’s a big driver of cyberinsurance coverage demand and pricing.

Law firm Reed Smith cautions that Merck’s case is “a warning to policyholders in the market for new insurance or upcoming renewals. Insurers have been taking major financial hits on claims related to cyberattacks and are likely to continue to review and scrutinize policy language with renewed urgency.” It didn’t take long.

Lloyd’s Market Association’s (LMA) Cyber Business Panel recently published four cyberinsurance policy exclusion clauses, which significantly broaden insurers’ protection against “cyber operations” launched by governments or surrogates. These evolving terms parallel emerging cybersecurity insurance legal precedents.

Chaim Saiman, professor at the Villanova University Charles Widger School of Law, explained, “The Merck case highlights how new cyberwar/terror risks stress the traditional conception of war found in policies. While the insurers argued that the policy excludes coverage for ‘hostile or warlike’ actions, which historically are acts by governments or sovereign powers using ‘military forces’ — not cyberattacks.”

“Insurance case law tends to favor a definition of ‘war’ drawn from international law which is somewhat narrower than usage common to journalistic and political settings,” Saiman added. “Because the exclusion primarily envisions a shooting war, courts stress that it only applies to damage sustained at or near the zone of conflict. This makes it a difficult fit as applied to cyberwarfare.”

Saiman predicts as a result, carriers will “continue working to fully exclude cyber coverage from standard-issue casualty and liability policies and shift these risks towards specially-designed policies where the pricing, limits, language and exclusions are uniquely attuned to the complexities raised by cyber risk.”

With rising geo-political risks and tech reliance, that warrants executive attention.

Next moves

Boards’ cyber concerns and checklists are long and growing. Here are three practical ways that CIOs can prepare for inevitable cyberinsurance questions.

First, immediately and going forward quarterly, CIOs, CFOs and corporate counsel should thoroughly review cyberinsurance policies. Utilizing a template crafted with board input, these periodic reviews should document coverage changes, assess insurance adequacy, consider alternatives and leverage external expertise.

Reed Smith advises that the Merck v. Ace ruling should motivate policyholders to “work with trusted brokers, risk management professionals and coverage counsel to evaluate policy language” as “the ‘act of war’ exclusion is but one of many terms that are surely drawing fresh scrutiny from the insurance industry.”

Second, CIOs should record how cybersecurity protocols, controls testing and breach responses align with external frameworks and assessments established by credible organizations such as the U.S. National Institute for Standards and Technology (NIST). Such documentation will inform the board and guide IT organization policies and procedures, as well as streamlining annual tech audits.

Importantly, such files provide insurers and courts evidence of reasonable efforts often needed to obtain coverage and submit claims. For example, Chubb allows policyholders a 45-day grace period to patch software security weaknesses identified as “common vulnerabilities and exposures” within NIST’s database.

Notably, Chubb’s “neglected software exploit endorsement” indicates that beyond the 45-day grace period, “risk-sharing incrementally shifts to the policyholder” if the vulnerability is not resolved as time advances. In boardrooms, CIOs’ credibility will crumble if IT cannot meet such logical insurer minimums.

Last, the Securities and Exchange Commission is moving rapidly to require better corporate cybersecurity disclosure. In the next year, CFOs, audit committees and regulators will be relying greatly upon CIO input, data and perspectives on cyber controls, breach response protocols and potential exposure. Cyberinsurance assessments will inevitably be critical to such disclosure and future reporting.

Tackling timely insurance assessments, protocol validation and disclosure plans will jumpstart CIOs’ efforts to ease common board, CEO and CFO cyber concerns.

No safety net

Escalating digital threats are driving cyberinsurance premiums up at a record pace. Unfortunately, when cyber defenses fail many insured will find no coverage and just costly, futile legal battles. That’s a gaping cybersecurity hole that no board can tolerate. Who’s reading the fine print before it’s too late?