The risk of cyberattacks has increased following Russia’s invasion of Ukraine and may test the effectiveness of ‘war exclusion’ and ‘hostile act exclusion’ language in policies, says Fitch Ratings.
A new note from the agency says that the wording, already under greater scrutiny following a recent court ruling that found an insurer liable for losses stemming from the 2017 NotPetya malware attack, may be further tested by current events stemming from Russia’s actions.
However, Fitch Ratings said that the work done around rising cyber claims in recent years should mitigate some underwriting losses.
Fitch Ratings wrote: “The proliferation of potential cyberattacks from well-organized, state-sponsored hackers is elevated given the current conflict. Other P/C lines that may be affected include political risk and trade credit, property, marine, cargo, and aviation.”
It added: “Increased ransomware events have caused elevated losses; cyber insurance companies have responded by increasing premiums and have required better cyber hygiene requirements for policyholders such as multifactor authentication. This should help mitigate potential losses from the current conflict, but cyber insurance will have to evolve in kind to keep pace with the drivers of losses.”
According to Fitch, the NotPetya malware attack was largely attributed to Russian-linked hackers, with short- and long-term spillover effects and billions of dollars in losses for global firms. Merck suffered notable losses of $1.4bn; however, the claim was denied citing the policy’s ‘all risk’ language. Cyber policies for U.S. P/C insurers have typically included ‘war exclusion’ or ‘hostile act exclusion’ language, similar to P/C exclusionary language found in other property lines of business, stipulating that insurers cannot defend against acts of war.
However, Fitch said that a recent ruling in New Jersey by a Union County State Superior Court Judge concluded that Merck was entitled to summary judgment because the war exclusion language was not applicable. The ruling indicated that the contract language of the insurance policy had been virtually unchanged for many years despite the evolving and increasingly common threat of cyberattacks, which can emanate from not only nation states but also covert, nefarious private sources.
The fallout from Russia’s invasion of Ukraine is still ongoing, with AM Best stating that it is likely to have ‘significant fallout’. Meanwhile, multiple analysts have said that the conflict is likely to expose insurers in multiple areas.