Merck wins Not Petya claim – but the future of cybersecurity insurance is complicate . Pharmaceutical company Merck & Co won its case for coverage of losses incurred during the Not Petya cyberattack, securing a payment of 1.4 billion US-Dollars from its insurance company. Previously, the company withheld the money, citing exclusion policies.
In 2017, NetPetya crippled IT-systems and companies around the world and affected global industry giants such as logistics company Moeller Maersk. The infection wave start in Ukraine and is widely believe to be of Russian origin. Merck was also impacte, citing more than 40,000 infecte computers in its network.
The incident, the insurer argued, is an act of war – which is usually exclude from insurance payments. This, as well as similar cases, including food-company Mondelez, have been closely watch by Cybersecurity experts. Had this decision held up against courts, it would have significantly reduced the usefulness of cybersecurity insurance.
The court argued that the insurance claim could not be cancell that easily. The phrasing of the insurance contract is intend to exclude physical acts of war, not cyberattacks. As the judge wrote: “[…] Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks. Certainly, they had the ability to do so.” Merck wins Not Petya claim – but the future of cybersecurity insurance is complicated .
Companies cannot rely on cybersecurity insurance alone – if they can even get one
Cybersecurity insurance policies can cover losses incurred during cyberattacks. However, the situation has changed quite dramatically since 2017. Back then, insurance companies gave out policies without many preconditions as well as a broad coverage of losses and restorative actions after an incident. Prices used to be quite low in the first years of such policies, which resulted in many companies acquiring insurance.
In today’s threat landscape, however, it is increasingly hard for companies to get their hands on a policy to start with. The rise of ransomware incidents and the ever-mounting costs of cyberattacks has led insurance companies to pick their customers more carefully. Without a good security posture, at prospective customer is unlikely to get any coverage under a cybersecurity policy. And even then, today’s policies will usually have a capped percentage of potential loss and damage that will be cover.
Companies that can purchase say insurance will typically be better suite to deal with the situation, anyway. The situation re-affirms what cybersecurity experts have been saying for quite some time now: There is no easy fix for better cybersecurity. Taking out insurance alone does not help, just as a purely technical approach to defence is not sufficient. Management needs to get involv in the issue by establishing processes, training staff, and enabling their own IT-department to be able to tackle the emerging challenges. That means investments -in terms of both people and money.