Blog / Good News For Cyberinsurance Clients
Cyberinsurance clients can trust their policies to protect them again.
Insurance providers have long included act of war clauses in policies of all sorts, including life and property insurance, and now, they’re hitting their cyberinsurance clients with them. Of course, in the physical world it’s fairly easy to say whether an attack is or is not an act of war or terrorism. Did your house start on fire because of a faulty furnace or a rocket launched across the border? Did a family member perish because of an unexpected heart attack or serving overseas? Though all are terrible situations, the distinctions seems pretty obvious.
Unfortunately, in the world of computers and electronics, it becomes a lot harder.
This isn’t the first time I’ve written a newsletter about insurance and the act of war clause. I’ve not only explained how insurance companies are updating their policies, but also how the insurance industry is changing. In that second article I mentioned how Merck had successfully sued their insurance provider for $1.4 billion. I’m sure it comes as no surprise that the insurance company appealed this decision.
What is surprising is the outcome of that appeal.
The first thing to note is that the appeals court upheld the lower court’s decision, meaning they agreed the insurers were still on the hook for the $1.4 billion bill.
The second (and surprising) result was in regards to the act of war clause. The ransomware Merck was infected with was NotPetya, a strain that has strong ties to the Russian military and which is why insurance providers have tried to deny cyberinsurance claims under an act of war clause. The appeals court ruling points out that such a clause cannot be invoked simply because the Ransomware was NotPetya. Doubtless the legal scholars out there will dissect the findings, but the difference appears to be akin to that of a criminal holding someone hostage for a payday, as opposed to as foreign power purposefully targeting a weapons manufacturer in a hostile state; they’re just not the same thing.
Essentially, the appeals court gutted the act of war clause, at least when it comes to cyberinsurance. Rather than painting with an overly-broad brush to claim that using particular tools like NotPetya means a ransomware attack is automatically an act of war, the appeals result means insurers will actually need to put in some effort to proving their cases or pay out like they promised to. One can only hope this means cyberattacks of any kind will need to be directly linked to an actual war for the clause to be invoked against cyberinsurance clients in the future.
This Shakespeare quote comes from Julius Caesar; “Cry ‘Havoc!’, and let slip the dogs of war.”
If you’d like help evaluating your cyberinsurance policies and ensuring you’re in compliance, contact one of our experts today and we’ll be happy to help out.
Be kind, courtesy your friendly neighbourhood cyber-man.