NotPetya Insurance Payout Awarded to Merck $1.4B
Short News:-
Insurance companies are already tightening up policy language to stave off nation-state cybersecurity claims.
Merck's $1.75 billion property insurance policy will have to cover the damage the NotPetya attacks did to the company's 40,000 computers. Other insurers are likely to follow, infosec industry watchers say.
Detailed News:-
'War or hostile acts' exclusion does not apply to the pharma company's 2017 cyberattack, according to the court.
Pharmaceutical giant Merck was awarded a $1.4 billion payout last month on its property insurance policy for losses it suffered as a result of the 2017 NotPetya cyberattacks, according to unredacted court documents.
"War or Hostile Acts" exclusion was cited by International Indemnity, a cyber-insurance subsidiary of Merck. This is because the U.S. Department of Justice is expected to file criminal charges against six Russian nationals in October 2020 for their alleged involvement in the NotPetya attacks.
"Inapplicable": The Superior Court of New Jersey found the exclusion unenforceable.
NotPetya's $1.4 billion damage to Merck's 40,000 computers will be covered by the $1.75 billion property insurance policy, according to a court filing.
According to the ruling, any "ambiguity" in an insurance policy's language should be interpreted to meet the "reasonable expectations" of the policyholder, according to legal precedents.
Already, insurance policy language is becoming more restrictive to prevent nation-state cybersecurity claims from being made.
According to Lloyds of London, "cyber-war" losses, which the company defined as "retaliatory attacks between nation-states with a "... major detrimental impact on the functioning of a state," will no longer be covered.
Insurers are expected to follow suit, according to analysts in the information security industry
According to Cowbell Cyber chief executive officer Jack Kudale, "cyber insurance has progressed dramatically in just four years since 2017." Standardization of coverages, clarification of terms, advanced risk assessment, and transparency in the underwriting process are critical to modernizing the approach and achieving full alignment between policyholders and their insurers."
For many in the information security industry, cyber-insurance isn't a viable option from a business or cybersecurity perspective in the long run.
Threatpost received an email from Netenrich threat hunter John Bambenek saying, "The growth of ransomware is pushing the financial limits of insurance companies." Only in cybersecurity is there any real risk of such a 'act of war.' clause in an insurance contract. Even though this gap will have to be accounted for in risk-mitigation plans, "more insurance" has never been a solution to cybersecurity issues.
Post a Comment
Your suggestions and comments are welcome