Cyberattacks on corporate networks are on the rise, and the ramifications from such an attack can be financially devastating. Recent benchmarking data shows that the number of material cyber breaches at large businesses increased by 20.5% from 2020 to 2021, with cybersecurity budgets across various industries aimed at preventing breaches jumping 51%.[1] Although companies are continuously trying to adjust to rapidly evolving security risks by developing protocols to prevent and respond to these attacks, 29% of the CEOS and CISOs and 40% of chief security officers admit their organizations are unprepared, citing “weak spots primarily caused by software misconfigurations (49%), human error (40%), poor maintenance (40%), and unknown assets (30%).”[2] 

While companies can try to stay one step ahead of the bad guys, cyberattacks are increasingly being launched by sophisticated state-sponsored actors. One of the most notorious state-sponsored cyberattacks in recent years involved the launch of malware known as “NotPetya” in 2017 – one of the most destructive malware ever deployed – which caused over $10 billion in losses to businesses around the world. NotPetya was derived from “Petya,” a highly destructive ransomware deployed in 2016. The U.S. government has blamed Russian security services for the attack (though Russia denies these accusations).[3] In subsequent years, FIN7 and other nation-state actors have continued to test cyber defenses, causing billions of dollars in damage.

Businesses suffering cyberattacks emanating from state-sponsored entities may have insurance coverage for their losses, but the scope of coverage available can vary dramatically depending on the amount of coverage purchased and the terms and conditions of their policies.  In response to the growing incidence of state-sponsored cyber attacks, many insurers reflexively return to boilerplate “war exclusions,” arguing that cyberattacks perpetrated by state-sponsored entities in support of nefarious activities trigger exclusions for war or armed conflict.  The obvious problem with this argument is that war exclusions were originally drafted to protect the insurance industry against systemic risks associated with armed conflict involving widespread property damage and were not designed to address exposures relating to cyberspace.  Nevertheless, some insurers have attempted to avoid coverage for cyberattacks involving state-sponsored entities.  Those efforts have been met with mixed success.  

For example, in Merck & Co. v. ACE American Insurance Co., Merck & Co. sued its insurers who denied coverage under an all-risk property insurance policy for the billions of dollar in losses the company incurred in a 2017 NotPetya malware attack, after the attack rendered tens of thousands of devices and other hardware worthless. Merck’s insurers claimed that because the malware attack was allegedly attributable to Russia’s military intelligence agency (deployed as part of its conflicts with Ukraine), coverage was excluded pursuant to the policy’s “acts of war” exclusion. However, in 2022, the New Jersey Superior Court sided with Merck, ruling that Merck’s insurers could not rely on the war exclusion because that exclusion was intended to apply to losses resulting from an armed conflict. As the court reasoned, because the insurers did not modify the standard war exclusion to put companies like Merck “on notice” that cyberattacks would not be covered, the insurer it could not now disclaim coverage.[4] As a result, the court found that Merck was entitled to receive $1.4 billion in coverage. The Merck & Co. decision is currently on appeal.

Litigation before the Cook County Illinois Chancery Court recently involved similar arguments in Mondelez International v. Zurich American Insurance Co. In that case, Mondelez International sought coverage under its property policy for over $100 million in damages incurred following a NotPetya malware attack.[5] The insurer argued that a war exclusion applied, given its language that there would be not coverage “for hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any: (i) government or sovereign power[.]” Before this case was tried, but after the decision in Merck, the parties settled for an unspecified amount.  

In response to the Merck & Co. decision and the unsurprising reluctance of courts to apply war exclusions to cyberattacks, the insurance industry is responding – not only by increasing premiums and limiting capacity, but also by adding new exclusions. Just a few months after the Merck & Co. decision, Lloyd’s of London issued a market bulletin in August of 2022 addressing cyberattack losses arising from attacks “sponsored by sovereign states” that may occur outside the traditional wartime context, mandating that new exclusions be added to all standalone cyberattack policies issued by Lloyd’s of London insurers.[6]  These additional exclusions:

  1. Exclude losses arising from war (whether declared or not);
  2. Exclude losses arising from state-backed cyberattacks that:
    • significantly impair the ability of a state to function; or
    • that significantly impair the security capabilities of a state;
  3. Must be clear as to whether cover excludes computer systems located outside any stated affected by the state-back cyberattack; and
  4. Must set out a “robust basis” by which the parties can agree on how state-backed cyberattacks will be attributed to one or more states.

Lloyd’s has mandated that these exclusions be implemented for all policies otherwise covering cyberattacks, including at renewals, beginning March 31, 2023. Market observers anticipate that some Lloyd’s syndicates may go further and add broad form state-sponsored exclusions to their policies. While the Lloyd’s market guidance does not apply to insurers domiciled in the United States or Bermuda, given the importance of the Lloyd’s market to the global insurance market, Lloyd’s actions may prompt similar actions from other insurers this year.

In light of the market’s response to cyberattacks emanating from state-sponsored entities and the likelihood that new exclusions will be added to all Lloyd’s policies beginning next month, all policyholders should review their cyber, property, and other policies to determine which of those may afford them cyberattack coverage. Policyholders should carefully review wartime and act-of-war exclusions in their policies carefully with their brokers and coverage counsel to determine if the language of these policies might limit coverage for state-sponsored attacks. In addition, Lloyd’s impending application of state-backed exclusions on March 31, 2023 should serve as a warning to policyholders of potential forthcoming changes, not only to new policies but also to existing policies upon renewal. Policyholders should work carefully with their brokers and coverage counsel to review cyber and property policies to determine whether new exclusions that could negate coverage for state-sponsored cyberattacks have been added to their policies and negotiate exceptions and carve backs where possible. 

[1] See findings from ThoughtLab’s 2022 cybersecurity benchmarking study, Cybersecurity Solutions for a Riskier World. This study analyzed the cybersecurity strategies and results of 1,200 large organizations across 14 different sectors and 16 countries, representing $125.2 billion of annual cybersecurity spending. https://thoughtlabgroup.com/cyber-solutions-riskier-world/

[2] Id.

[3] See Dustin Volz, U.S. blames Russia for crippling 2017 ‘NotPetya’ cyber attack, Thomson Reuters, Feb. 15, 2018, https://www.reuters.com/article/uk-britain-russia-cyber-usa-idUKKCN1FZ2W4.

[4] N.J. Super. Ct. No. L-002682-18 (Jan. 13, 2022).

[5] 2018 L 011008, Cook County Chancery, Ill.

[6] https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf

In a unanimous decision, the Ohio Supreme Court found that appellee EMOI Services, LLC’s (“EMOI”) businessowners insurance policy does not cover losses resulting from a ransomware attack on EMOI’s computer software systems.

Continue Reading Ohio Supreme Court Holds that Insurance Policy Does Not Cover Ransomware Attack on Software

When seeking insurance coverage for “long-tail” mass tort and environmental claims that involve alleged exposures and injuries spanning multiple years, businesses often look to their occurrence-based commercial general liability (“CGL”) policies.   These policies are designed to provide broad coverage for defense costs, settlements, and potentially adverse judgements.  However, CGL policies generally cover “occurrences” during one-year policy periods and renew on an annual basis, which can complicate efforts to seek coverage for claims involving alleged injuries or property damage spanning decades.  Moreover, for severe claims, businesses may need to obtain access to one or more of their excess CGL policies.  Therefore, determining which policies to pursue, whether policies in multiple policy periods will respond, and how to access valuable excess coverage are factors that should always be considered with coverage counsel when facing long-tail exposures.  Courts across the country are divided on how these questions should be answered.  A recent decision issued by the Supreme Court of North Carolina in Radiator Specialty Co. v. Arrowood Indemnity Co., provides guidance to North Carolina policyholders attempting to maximize coverage for long-tail claims.

Continue Reading North Carolina Supreme Court Provides Guidance to Policyholders Attempting to Maximize Insurance Coverage for Long-Tail Claims

In May 2022, the Illinois Supreme Court heard oral arguments in Cothron v. White Castle System, Inc. — a case that will have a substantial impact on the liability for violating the Illinois Biometric Information Privacy Act (“BIPA”).  BIPA is considered to be among the most robust law in the U.S. governing biometric privacy, and Illinois is among the few jurisdictions permitting private suits for the unlawful collection, storage of such data.  Since its inception in 2008, BIPA has been the source of a flurry of lawsuits, many of which have resulted in substantial settlements.  The court is set to determine how to calculate the number of individual BIPA violations, whether damages accrue each time an employee scans her fingerprint, or whether the first recorded scan is the sole violation.  If the Illinois high court determines that damages accrue with each scan and BIPA violations are ongoing, then the potential damages for BIPA lawsuits would increase exponentially and open a flood of new claims.  Fortunately, insurance policyholders have had recent success arguing that coverage exists for BIPA violations under Commercial General Liability (“CGL”) policies.  A plaintiff-friendly ruling in the Cothron case would make the ability to recover under these policies even more important, and potentially open additional avenues for recovery.  In anticipation of this important ruling, this article provides a brief background on BIPA and summarizes the key decisions relating to insurance recovery of BIPA damages.

Continue Reading Update on Case Law Developments for BIPA Damages and Insurance Recovery for BIPA Claims

In several states, an insured that prevails in a coverage dispute against its insurer is entitled to statutory “penalty interest” added to the amount owed by the insurer.  A June 8, 2022 decision from the United States District Court for the Western District of Michigan illustrates the importance of meeting the “proof of loss” requirements of such statutes.

In Alticor Global Holdings, Inc. v. American International Specialty Lines Insurance Co., an insured filed an action against its insurer after the insurer refused to reimburse the costs of defending and ultimately settling copyright infringement claims asserted against the insured.  The District Court found that the insured was entitled to coverage under an Internet and Network Security Insurance Policy for $24 million in costs incurred in the underlying lawsuit and then considered the amount of interest that should be paid by the insurer on top of the breach of contract damages awarded to the insured.

Continue Reading Recent Michigan Court Ruling Reinforces Importance of Providing Prompt “Proof of Loss”

On March 14, 2022, Russian President Vladimir Putin signed a law allowing the seizure of foreign-owned aircraft in Russia. Many aircraft in Russia are owned by international firms and leased for use in Russia. Such seizures are a likely source of insurance claims by the planes’ owners and financers.

Most commercial air carriers do not own the aircraft they operate, preferring instead to lease them for tax and accounting purposes. Many aircraft used in Russia for passenger traffic were built by Western firms and are owned and financed internationally. For example, according to news reports, 740 Bermuda-registered airplanes operated in Russia are now subject to seizure.

Continue Reading What Owners and Financers Need to Know About Insurance and Putin’s Aircraft Seizure Law

The Russian invasion of Ukraine and the resulting sanctions Western countries have imposed on Russia have already caused potentially catastrophic losses for businesses with assets and investments in Ukraine, Russia and neighboring countries impacted by the attack. These losses could accelerate, based on a March 9, 2022, announcement by Russia’s ruling party.

According to that announcement, a Russian government commission has begun the approval process toward Russia nationalizing the assets of foreign businesses that leave Russia in light of the economic sanctions. This could create dire economic consequences for foreign businesses that leave Russia.

Continue Reading Russia and the Insurance Angle — Tapping Political Risk and Other Insurance Coverages

In two recent decisions, the Texas Supreme Court defined the limited parameters in which Texas courts can look beyond the “four corners” of the complaint against the policyholder and the “four corners” of the insurance policy (i.e., the “eight-corners rule”) when determining whether an insurer’s “duty to defend” is triggered.

Permitting exceptions to the “eight-corners rule” and, in limited instances, allowing the use of extrinsic evidence to determine whether the duty to defend applies, requires policyholders to pay extra care to whether their insurers are properly accepting or denying defense of a suit. Application of fact-intensive tests like the Texas Supreme Court just announced varies from state to state.

Continue Reading Beyond the Eight Corners: Determining Whether a Liability Insurer’s Duty to Defend Is Triggered

Entering 2020, corporate policyholders already faced a hardening insurance market. But as the COVID-19 pandemic continues to wreak havoc on global markets and sow civil unrest throughout the globe, and the insurance industry faces unprecedented losses, the market has further deteriorated entering 2022.

In fact, Reuters reported COVID-19 losses of $44 billion so far, which represents the third-largest cost to insurers of any catastrophe to date (behind Hurricane Katrina and the 9/11 terrorist attacks). These factors have not only made some insurance companies reluctant to extend new coverage, but have also incentivized insurance companies to deny or delay claims until their balance sheets recover.

Continue Reading In a Hard Global Insurance Market, Will Insurers Cover Political Risk Insurance Claims?

As COVID-19 continues to spread, recent news has highlighted the risk of “take-home” COVID-19 cases and the potential for “never-ending” liability for businesses. So-called take-home lawsuits are filed by employees’ domestic relatives for diseases or illnesses caused by exposures that allegedly traveled home through the employee.

On Jan. 12, 2022, Reuters reported “at least 23 take-home COVID-19 lawsuits” have been filed in the United States, including lawsuits against employers in the travel, retail and food-processing industries.

Continue Reading Increase in ‘Take-Home’ COVID-19 Litigation Creates Fear of ‘Never-Ending’ Liability for Employers