As tensions build on the border of Russia and Ukraine, the risk of a catastrophic cyber event grows too. But if another attack along the lines of the notorious NotPetya incident were to impact businesses in the West as part of an act of war, many UK companies may find that they are not as protected under their cyber insurance as they might have hoped, as a recent court case between pharma giant Merck and its cyber insurer highlighted. Tech leaders are being urged to check their coverage to ensure it is adequate for this rapidly evolving situation.
NotPetya emerged last time the Ukraine and Russia were in conflict, in 2017. The destructive malware strain, which was blamed on state-backed Russian hackers, soon spread to the wider internet, and caused billions of dollars worth of damage to companies such as Merck and law firm DLA Piper. Now, as political tensions between the two countries mount again, the cybersecurity community is starting to worry a similar incident may occur.
Could there really be another NotPetya? “It’s possible for sure,” Vlad Styran, co-founder and CEO of Ukraine-based Berezha Security Group says. He adds that it’s possible malware which has been in development for some time could be deployed to coincide with the conflict. “[Malware is] created continuously and we only see it when the weapons operator thinks it’s appropriate,” he says.
Russia Ukraine conflict and changes to cyber insurance
If another NotPetya were to ravage the West, there is a danger that many businesses may not be protected as comprehensively as they think, explains Nick Beecroft, non-resident scholar, technology and international affairs at Carnegie Endowment for International Peace. “The real danger is that insurers and their clients might have different expectations,” he says.
In the event of a massive cyberattack, insurers “may think ‘we don’t cover acts of aggression by nation states’,” Beecroft explains. “Meanwhile the clients are thinking ‘we’ve bought a business interruption cover so if our business is interrupted, we will be covered’.”
This happened in the case of Merck. The pharma company suffered $300m in damages caused by NotPetya, which escalated to $1.4bn due to production downtime. At the time its insurance company Ace American argued that NotPetya was an instrument of the Russian Federation and part of ongoing hostilities between the country and Ukraine. In 2019 Merck sued the insurance company and won last month.
Merck’s lawyers argued that the war exclusion clause contained language that limited acts of war to official government agencies and did not specifically mention cyber-related events. In a ruling last month the New Jersey Superior Court sided with Merck. The judge wrote: “Given the plain meaning of the language in the exclusion, together with the foregoing examination of the applicable case law, the court unhesitatingly finds that the exclusion does not apply.”
What does the Merck ruling mean for cyber insurance?
The Merck judgement highlights the differing expectations of insurance companies and their clients when it comes to cyber cover, Beecroft says. “The real risk is that a business might have bought insurance without thinking about specifically what happens if Russia or any state does mount a cyberattack,” he says. “That’s what we saw with Merck.”
Now is the time for businesses to check through their cyber policies and make sure they are up to date on exactly what they are covered for. “It is important that clients do try to get maximum clarity over what exactly they’re covered for,” Beecroft says. NotPetya and other events like it have helped to raise awareness of the kind of damage such malware can inflict. “Hopefully the NotPetya event will help to reduce some of this uncertainty,” Beecroft adds.
The insurance industry itself could also be threatened by another NotPetya-style attack, particularly if the consequences are widespread and lead to large payouts. A recent report from the OECD highlighted the need for clearer regulation and support to be provided by governments to the insurance sector around cyber policies. It says the industry may struggle to cope in the face of sustained, state-backed, attacks.
Beecroft agrees that insurance regulators and insurers need to devise plans on how to handle such an event. “If governments accept that economic well-being and the provision of essential services increasingly depend on the management of cyber risk, it would be prudent to investigate the feasibility of a public/private partnership for cyber insurance before the requirement is revealed by a catastrophic event,” he says.