Following record-shattering data breaches, there has been a major push for increased transparency and regulation in the insurance industry regarding consumer data privacy. With an increase in consumer data collection, the threat of ransomware attacks can expose companies to potential litigation or regulatory action if not handled properly.

Read on to learn about the National Association of Insurance Commissioners’ Insurance Consumer Privacy Protection Model Law #674, which illustrates the NAIC’s continuing re-evaluation of its historical approach to privacy compliance requirements. How will Model Law #674, as adopted by states, affect insurers’ compliance obligations vis-à-vis the patchwork of state data compliance laws and regulations recently adopted or under consideration?

On March 26, a containership struck the Francis Scott Key Bridge in Baltimore, Maryland, resulting in the collapse of the highway infrastructure and tragic loss of life.[i]  As communities grieve the loss of their loved ones, businesses around the world are grappling with the economic fallout, including significant supply chain disruptions.  The closure of I-695, which provides an alternate route for hazardous materials and oversized vehicles that are prohibited from going through the Baltimore Harbor Tunnel, has created a gridlock for companies with distribution warehouses nearby.[ii]  The many ships stuck at the Port of Baltimore blockage, which is the top port in the nation for automobile shipments, is likely to create a ripple effect for other ports worldwide.[iii]

Continue Reading Insurance Recovery for Businesses Impacted by the Francis Scott Key Bridge Collapse

The Appraisal Process

Even when an insurer agrees to cover an insurance claim, disputes often arise between the insurer and the insured as to the valuation of the loss, particularly for claims under commercial property and business interruption policies.  In these circumstances, policyholders should consider whether and to what extent the dispute could be resolved through an appraisal process before resorting to litigation.

Continue Reading The Appraisal Clause: What It Is, and When to Enforce It

Last week, Merck & Co. filed documents with the Supreme Court of New Jersey indicating that it reached a settlement with its “all risk” property insurers in a long-running coverage dispute involving over $1.4 billion in losses stemming from a 2017 NotPetya cyberattack that impacted tens of thousands of Merck computers. The coverage litigation, Merck & Co. v. ACE American Insurance Co., focused on the key question of whether the policies’ “hostile/warlike” exclusion applied to the NotPetya attack, which some intelligence agencies have attributed to Russian government attempts to destabilize Ukraine. The settlement was announced just a few days before the New Jersey Supreme Court was set to hear oral arguments during an appeal of the New Jersey state appeals court’s affirmance of a 2021 trial court ruling in Merck’s favor. Merck’s insurers had argued that Merck’s losses were barred by a war exclusion, but the New Jersey trial court found that the exclusion did not apply to malware and cyberattacks and instead was intended to apply only to physical acts of warfare between the armed forces of two or more countries. The terms and the amount of the settlement have not yet been disclosed.

Continue Reading Merck-Settlement of $1.4 Billion Coverage Dispute Over NotPetya Cyberattack Places Renewed Spotlight on War Exclusions in 2024

On June 29, 2023, the U.S. Supreme Court struck down the race-conscious admissions programs at Harvard University and the University of North Carolina at Chapel Hill in a pair of cases brought by Students for Fair Admissions (SFFA).  The Court in SFFA found the universities in violation of the Equal Protection Clause and Title VI of the Civil Rights Act, holding that the diversity-focused admissions programs “lack sufficiently focused and measurable objectives warranting the use of race, unavoidably employ race in a negative manner, involve racial stereotyping, and lack meaningful end points.”

Continue Reading What You May Not Know about The Supreme Court’s Ruling in SFFA—Insurance Coverage Implications for All Industries

Manufacturers face an ever increasing risk of liability exposure for pollution caused by polyfluoroalkyl substances, commonly known as “PFAS.” In early June this year, it was reported that 3M, as have other large chemical manufacturers, settled pending litigation involving PFAS-contamination in U.S. cities for an estimated $10 billion and aimed to resolve allegations that 3M polluted bodies of water in several U.S. cities.[1] This reported settlement comes after another recent $1.19 billion settlement related to the contamination of water systems.[2] Moreover, environmental regulators—including the Environmental Protection Agency (“EPA”) under the Biden Administration—have made PFAS a priority in recent years.[3]

Continue Reading PFAS Liability and Insurance: Potential Avenues to Mitigate Exposure for PFAS Risks through Insurance

On May 3, the 7th U.S. Circuit Court of Appeals sided with the policyholder, resolving an insurance coverage dispute over a $100 million settlement related to claims under the federal Anti-Kickback Statute and the federal False Claims Act. Read on for analysis of this decision, which tries to clarify the difference between compensatory damages, which may be covered by insurance under Illinois law, and restitutionary damages, which generally are not.

Insurance policies invariably require insureds to submit timely written notice of a “Claim” made by third parties to obtain coverage from the insurer.  A recent decision from the United States District Court for the Southern District of New York is yet another reminder that insureds need to closely analyze what constitutes a “Claim” under their policies in order to comply with the timely notice requirement. 

Continue Reading Another Judicial Reminder for Policyholders to Carefully Review Policy Language and Provide Timely Notice of a “Claim”

With bank stability and the related stock market rout now dominating the headlines for the first time since the 2008 financial crisis, are financial institutions’ D&O and bankers’ professional liability / E&O (“BPL”) liability policies ready to help backstop coverage, or potentially full of holes?  Coming out of a hard market where insurers carefully and quietly pulled back some policy enhancements over the course of several years, now is the time for financial institutions to review their insurance policies to identify and fill any significant gaps and holes in their executive risk coverages.  The last two weeks demonstrate that financial institutions, as well as their directors and officers, face the risks of receivership, government investigations, securities lawsuits, and personal liability following a bank failure or stock rout in the face of financial stability concerns. 

Continue Reading Financial Institutions and Bank Directors and Officers in the Crosshairs – Are Their Insurance Policies Really Primed and Ready?

Cyberattacks on corporate networks are on the rise, and the ramifications from such an attack can be financially devastating. Recent benchmarking data shows that the number of material cyber breaches at large businesses increased by 20.5% from 2020 to 2021, with cybersecurity budgets across various industries aimed at preventing breaches jumping 51%.[1] Although companies are continuously trying to adjust to rapidly evolving security risks by developing protocols to prevent and respond to these attacks, 29% of the CEOS and CISOs and 40% of chief security officers admit their organizations are unprepared, citing “weak spots primarily caused by software misconfigurations (49%), human error (40%), poor maintenance (40%), and unknown assets (30%).”[2] 

While companies can try to stay one step ahead of the bad guys, cyberattacks are increasingly being launched by sophisticated state-sponsored actors. One of the most notorious state-sponsored cyberattacks in recent years involved the launch of malware known as “NotPetya” in 2017 – one of the most destructive malware ever deployed – which caused over $10 billion in losses to businesses around the world. NotPetya was derived from “Petya,” a highly destructive ransomware deployed in 2016. The U.S. government has blamed Russian security services for the attack (though Russia denies these accusations).[3] In subsequent years, FIN7 and other nation-state actors have continued to test cyber defenses, causing billions of dollars in damage.

Businesses suffering cyberattacks emanating from state-sponsored entities may have insurance coverage for their losses, but the scope of coverage available can vary dramatically depending on the amount of coverage purchased and the terms and conditions of their policies.  In response to the growing incidence of state-sponsored cyber attacks, many insurers reflexively return to boilerplate “war exclusions,” arguing that cyberattacks perpetrated by state-sponsored entities in support of nefarious activities trigger exclusions for war or armed conflict.  The obvious problem with this argument is that war exclusions were originally drafted to protect the insurance industry against systemic risks associated with armed conflict involving widespread property damage and were not designed to address exposures relating to cyberspace.  Nevertheless, some insurers have attempted to avoid coverage for cyberattacks involving state-sponsored entities.  Those efforts have been met with mixed success.  

For example, in Merck & Co. v. ACE American Insurance Co., Merck & Co. sued its insurers who denied coverage under an all-risk property insurance policy for the billions of dollar in losses the company incurred in a 2017 NotPetya malware attack, after the attack rendered tens of thousands of devices and other hardware worthless. Merck’s insurers claimed that because the malware attack was allegedly attributable to Russia’s military intelligence agency (deployed as part of its conflicts with Ukraine), coverage was excluded pursuant to the policy’s “acts of war” exclusion. However, in 2022, the New Jersey Superior Court sided with Merck, ruling that Merck’s insurers could not rely on the war exclusion because that exclusion was intended to apply to losses resulting from an armed conflict. As the court reasoned, because the insurers did not modify the standard war exclusion to put companies like Merck “on notice” that cyberattacks would not be covered, the insurer it could not now disclaim coverage.[4] As a result, the court found that Merck was entitled to receive $1.4 billion in coverage. The Merck & Co. decision is currently on appeal.

Litigation before the Cook County Illinois Chancery Court recently involved similar arguments in Mondelez International v. Zurich American Insurance Co. In that case, Mondelez International sought coverage under its property policy for over $100 million in damages incurred following a NotPetya malware attack.[5] The insurer argued that a war exclusion applied, given its language that there would be not coverage “for hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power[.]” Before this case was tried, but after the decision in Merck, the parties settled for an unspecified amount.  

In response to the Merck & Co. decision and the unsurprising reluctance of courts to apply war exclusions to cyberattacks, the insurance industry is responding – not only by increasing premiums and limiting capacity, but also by adding new exclusions. Just a few months after the Merck & Co. decision, Lloyd’s of London issued a market bulletin in August of 2022 addressing cyberattack losses arising from attacks “sponsored by sovereign states” that may occur outside the traditional wartime context, mandating that new exclusions be added to all standalone cyberattack policies issued by Lloyd’s of London insurers.[6]  These additional exclusions:

  1. Exclude losses arising from war (whether declared or not);
  2. Exclude losses arising from state-backed cyberattacks that:
    • significantly impair the ability of a state to function; or
    • that significantly impair the security capabilities of a state;
  3. Must be clear as to whether cover excludes computer systems located outside any stated affected by the state-back cyberattack; and
  4. Must set out a “robust basis” by which the parties can agree on how state-backed cyberattacks will be attributed to one or more states.

Lloyd’s has mandated that these exclusions be implemented for all policies otherwise covering cyberattacks, including at renewals, beginning March 31, 2023. Market observers anticipate that some Lloyd’s syndicates may go further and add broad form state-sponsored exclusions to their policies. While the Lloyd’s market guidance does not apply to insurers domiciled in the United States or Bermuda, given the importance of the Lloyd’s market to the global insurance market, Lloyd’s actions may prompt similar actions from other insurers this year.

In light of the market’s response to cyberattacks emanating from state-sponsored entities and the likelihood that new exclusions will be added to all Lloyd’s policies beginning next month, all policyholders should review their cyber, property, and other policies to determine which of those may afford them cyberattack coverage. Policyholders should carefully review wartime and act-of-war exclusions in their policies carefully with their brokers and coverage counsel to determine if the language of these policies might limit coverage for state-sponsored attacks. In addition, Lloyd’s impending application of state-backed exclusions on March 31, 2023 should serve as a warning to policyholders of potential forthcoming changes, not only to new policies but also to existing policies upon renewal. Policyholders should work carefully with their brokers and coverage counsel to review cyber and property policies to determine whether new exclusions that could negate coverage for state-sponsored cyberattacks have been added to their policies and negotiate exceptions and carve backs where possible. 

[1] See findings from ThoughtLab’s 2022 cybersecurity benchmarking study, Cybersecurity Solutions for a Riskier World. This study analyzed the cybersecurity strategies and results of 1,200 large organizations across 14 different sectors and 16 countries, representing $125.2 billion of annual cybersecurity spending.

[2] Id.

[3] See Dustin Volz, U.S. blames Russia for crippling 2017 ‘NotPetya’ cyber attack, Thomson Reuters, Feb. 15, 2018,

[4] N.J. Super. Ct. No. L-002682-18 (Jan. 13, 2022).

[5] 2018 L 011008, Cook County Chancery, Ill.