Catastrophic Ransomware Exclusions: More Troubles in the Cybersecurity Insurance Marketplace 

By: Courtney Nadeau Ellis

Insurance is a necessary evil for most Americans. Without car insurance, drivers are liable and vulnerable in an accident. Without malpractice insurance, doctors – and lawyers – are liable for any perceived harm done to a client. Similarly, without cyber insurance, organizations are vulnerable to catastrophic cyberattacks that could impact an organization’s public reputation, finances, supply chain, databases, and even infrastructure.

Cyber insurance, like most other insurance policies, is tricky – it is often inundated with technical jargon and legalese. However, unlike most other insurance marketplaces, cyber insurance has little standardization; established giants in the insurance industry, like Lloyds of London, are now becoming pioneers in the cyber insurance marketplace.[1] In 2024, cyber insurance remains a novelty and a mystery to; however, it is quickly becoming a necessity for many organizations in the wake of exponential and catastrophic cyber-attacks.

Debunking the Cyberattack

Before understanding the need for insurance, especially protection as opaque as cyber insurance, what exactly should it be insured against? The concept of a “cyberattack” is misunderstood and is ironically often a core issue in many cyber insurance policies. Regardless, most cyber-attacks are considered attacks of the “malware” variety. Malware is a generalized umbrella term for any type of “intrusive software” designed by threat actors with the sole purpose to commit a malicious attack.[2] Malware is the “parent” of ransomware, a type of malware and one of the most catastrophic and popular types of cyberattacks.

Ransomware

Ransomware, as the name suggests, is a type of malware with a ransom attached. It is often dubbed “cyber extortion.” Simply put, ransomware infects a host’s network, encrypts the data, and then extorts the user to pay a ransom in order to release the data, often paid in Bitcoin or other untraceable cryptocurrency.[3] Theoretically, after the ransom is paid, the threat actor will indeed make good on their promise and release the data; however, this is often not the case. Over 4,500 ransomware attacks were reported in 2023, over a 70% spike since 2022,[4] and cost companies an approximate total of $1 billion.[5] When a ransomware attack happens, especially to large manufacturers, retail suppliers, and shipping companies in which our world has become dependent, who pays these damages? Who pays the ransom? In short, we are not sure.[6]

Cyber Insurance: Exclusions, Exclusions, Exclusions

Even the most robust, expensive cyber insurance policies have their limitations, and Courts are still grappling with how to manage the ongoing litigation of these claims. In New Jersey, for example, the Superior Court held that Plaintiff, pharmaceutical giant Merck, was not entitled to recover damages from their cyber insurance[NJ1]  policy because Merck’s systems were mere “collateral damage” in a Russian-sponsored cyberattack that infected their systems – including disrupting global manufacturing operations in 40,000 computers in over 60 countries. An investigation determined the cyberattack’s primary target was the Ukrainian government’s centralized computer network and Merck’s systems were mere “collateral damage” to the actual target of the attack, and therefore not subject to the “war exclusions” of their cyber insurance policy. [7] As of April 2024, this case is pending appeal. With a similar “wartime” exclusion, snack food giant, Mondelez International, brought a case in Illinois for damages against their cyber insurance provider, who argued Mondelez was also mere “collateral damage” in a similar Russian-backed attack. This case privately settled.[8]

Conclusion

With these exclusions, and the shroud of mystery and inconclusiveness surrounding them, what does that mean for organizations? The organizations proactively obtaining cyber insurance are seemingly ahead of the curve with little avail. With split circuits, a lack of standardization across a new marketplace, and general uncertainty amongst consumers, policyholders, and insurance experts alike, it is no wonder the veil of secrecy remains with cyber insurance and their resolutions. Experts have indicated more sophisticated cyberattacks will occur in 2024, especially with ransomware targeting large supply chains,[9] with more damages expected than years previous, equating to an approximate $23B insurance industry by 2025.[10]

As ransomware becomes more sophisticated, the cyber insurance marketplace will have to rise to the challenges facing the industry, or otherwise exclude themselves out of liability to avoid the consequences of billions in claims.  

[1] https://www.ft.com/content/1e8931ae-461f-47cd-b0b5-aa4931230aa2

[2] https://www.cisco.com/site/us/en/learn/topics/security/what-is-malware.html

[3] https://www.acronis.com/en-us/blog/posts/cybersecurity-insurance-role-in-ransomware-protection/

[4] https://www.sans.org/blog/ransomware-cases-increased-greatly-in-2023/

[5] https://www.axios.com/2024/02/09/ransomware-earnings-2023-chart

[6] https://www.csoonline.com/article/571703/cyber-insurance-explained.html; see also https://content.naic.org/cipr-topics/terrorism-risk-insurance-act-tria

[7] Merck v. Ace American Insurance Company

[8] https://www.insurancebusinessmag.com/us/news/cyber/zurich-mondelez-settle-longstanding-lawsuit-over-100-million-claim-426741.aspx

[9] https://www.zscaler.com/blogs/security-research/top-5-cyber-predictions-2024-ciso-perspective

[10] https://www.spglobal.com/ratings/en/research/articles/230829-global-cyber-insurance-reinsurance-remains-key-to-growth-12813411

 [NJ1]Split this sentence into two so all of the content is quite clear because it is all interesting