Ensure Your Insurance Insures Cyber-attacks! (Also, 3 Macro-Recommendations to Maximize Protection)

With the Russian invasion of Ukraine, several topics have taken center stage, among them: economic sanctions, wheat and food shortages, and the exits of famous brands like Starbucks, McDonald’s, and PepsiCo.  (What will Red Square do without its Happy Meals?)   

Yes, Russia “exports” foreign brands; it also “exports” cyber-terrorism and ransomware attacks.  (To be fair, it is far from the only country to host cyber-terrorists.)  Does your insurance cover these attacks?  The answer, crucial to your business, may depend on your war-exclusion clauses.

Insurance policies are contracts.  War-exclusion clauses (also known as “hostile acts exclusion clauses”) are meant to exclude from contractual coverage any damages arising from state-sponsored hostile acts.  Historically a non-issue, the rise of state-sponsored cyber-attacks (arguably, acts of war) triggered a legal review of these clauses.

In 2017, New Jersey-based pharmaceutical company Merck was attacked by a Russian-sponsored cyber-attack, leading to a manufacturing shutdown and US$1.4 billion in damages. Shockingly, Merck and its insurer could not agree as to whether its insurance policy covered these damages. 

So, they turned to their lawyers.  After years of negotiations and litigation, in January 2022 a New Jersey state court ruled in favor of Merck, i.e., that cyber-attacks are excluded from war-exclusion clauses.  In doing so, the state judge noted that war-exclusion clauses historically applied only to traditional acts of war (e.g., physical invasions and missile attacks) and not cyber-attacks.

You, dear Reader, are either a client or a potential client.  You are therefore a sophisticated counterparty.  Being a sophisticated insurance consumer, you should:

• Assess the risk of a cyber-attack against the cost over coverage and your risk profile, and, assuming coverage is required,
• Carefully review policy documents to ensure that cyber-attacks are expressly covered without exclusion and/or expressly excluded from the war-exclusion clause.

To be sure, insurers are also sophisticated; they have already assessed their potential liability for ransomware and cyber-warfare.  While many current policies contain narrow war exclusions, it is likely that new drafts will consider expressly including cyberterrorism (or exclude it by other means).  As the legal landscape adapts to the Merck ruling, we are also likely to see cyber-related amendments.

On the other hand, there is now a market for stand-alone cyber-attack policies to insure against ransomware and other nefarious cyber conduct.  Clearly, the market has taken note that cyber-attacks have become more frequent and severe.  In fact, many of my clients report being electronically probed and attacked all day, every day.

Would you like some quick general recommendations?  We knew you would.

1. Forewarned is forearmed…so, prepare for an attack.  Issue policies and procedures in case of a breach (including third-party reporting obligations in the event of a vendor breach); train employees and raise awareness of common cybersecurity pitfalls (e.g., phishing and “man-in-the-middle” attacks); install software controls such as multifactor authentication systems; ensure backup and redundancy systems are working properly and efficiently; and retain copies of current records. 

2. Conduct a risk assessment and gap analysis. Hire experts to review and test your cyber infrastructure, identify any vulnerabilities that put your data at risk, and immediately update software when new updates release. Also review your cybersecurity measures to ensure that end-users in your organization know how to securely access external data outside of your local networks (and keep internal data in your networks).
   
   Don’t know where to start?  We and our experts can help!

3. If you need to report a claim, review policy documentation to understand what and how to report.  Of course, only report what you know to be true.  That said, you have no obligation to report an educated guess, so avoid reporting provenance unless you know it to be true.  (Reporting that a ransomware attack was perpetrated by a state actor could be the basis for denying the claim.)
   
   Don’t know where to start?  We and our experts can help!

Ensuring that your insurers insure your data is paramount in the digital age.  (Yes, we meant to do that.) 

Here at The Wallenstein Law Group, we are well versed in assisting companies plan for – and address – the unexpected.  Let us help you ensure that your policy will make you whole.  Contact us today!