A recent court ruling in New Jersey highlights the hidden risks within cyber coverage, says a new briefing from Moody’s.
The briefing, which came out a few days ago, looks at a ruling involving Merck & Co., which had sought insurance coverage from fifteen of its P&C insurers for damages related to the NotPetya attack in 2017. The UK, US and several other countries attributed the broad-based attack to the Russian government and its efforts to destabilise Ukraine.
In its summary judgment, which could still be appealed, the New Jersey State Superior Court granted Merck & Co $1.4bn in damages. The court found that the war or hostile acts exclusion clause in the all-risk property insurance policy does not preclude coverage.
Michael Dion, vice president of Moody’s, said: “Since the NotPetya cyberattack, P&C insurers have been working to address silent or non-affirmative coverage, where cyber risk is neither explicitly stated nor excluded from policies.”
He added: “Insurers are addressing the risk by adding cyber exclusions to traditional lines of coverage, such as property or marine, to avoid ambiguity that could result in large loss aggregations, and issuing standalone cyber policies.”
In its note, Moody’s said that given the systemic nature of cyber risk, severe attacks could represent an uninsurable event.
Moody’s added: “The insurance industry does not have the capital to insure these widespread systemic events. The London Market Association has released model clauses that would exclude coverage for war from cyber insurance policies. Other market participants are also developing similar exclusions with the goal of reaching a market standard to address this complex coverage issue.”
The agency looked at the growth of cyber insurance, stating that it was relatively small at $10bn annually, compared to traditionally property and casualty premiums.
However, it added: “However, the frequency and severity of cyber claims has escalated, most notably for ransomware, particularly over the past two years. Since the onset of the pandemic, as most employees worked remotely and frequently used personal devices and less secure methods for connecting to corporate networks, the surface area for cyberattacks has increased significantly. The growth in the use of cryptocurrencies during this time has also emboldened hackers to make greater ransomware demands. Insurers’ loss ratios will rise further in 2021 and escalating losses have resulted in significant changes in the cyber insurance market.”
Judgment on the case was issued in December and made public in the middle of January.
