In 2017, the drug maker Merck and hundreds of other companies around the world suffered a catastrophic cyberattack that severely crippled their operations. At Merck, the malware-infected 30,000 personal computers and 7,500 servers, rendering them useless.
It has been labeled as the most destructive cyberattack in history. It caused more than $870 million in damages at Merck alone, affecting the sales, manufacturing, and research divisions of the company.
The attack has been attributed to Russia’s military intelligence agency. The target was Ukraine, which also suffered tremendous damage. The country’s government agencies, banks, and power stations all suffered hits. Merck and the other companies were collateral damage. The pharmaceutical company became infected through a server in its Ukraine office.
Merck Versus the Insurance Companies
Merck, however, had insurance coverage for such events, or so it thought. The company had taken out policies from 30 insurers and reinsurers that covered $1.75 billion in property damages for things like the corruption of computer data, coding, and software.
But most of those companies denied coverage to Merck. The reason for the denial stemmed from the claim that the attack was an act of war, and under the policies Merck had, this kind of event was excluded from coverage.
Merck, in turn, sued the insurance companies for breach of contract, claiming $1.3 billion in losses.
Implications for the Insurance Industry
A case like this has far-reaching ramifications for the insurance industry as a whole and the companies they insure. The Merck incident showed just how destructive such cyberattacks could be. It emphasizes the uncertainty at this point in how to price for cyber risk properly. Many believe insurers are just not up to the task yet, that they don’t know how to price it.
The legal case now playing out in a New Jersey courtroom between Merck and the insurers is a complicated one, which will put current legal theory to a severe test. Many countries have developed computer malware and are using it against adversaries, but whether this meets the definition of an act of war is not clear.
The insurers will have to marshal evidence to back up their assertion that it was indeed an act of war. This may entail an examination of the malware by computer forensic experts to determine if indeed it shows signs of emanating from the Russian military.
The stakes are high for everyone involved. According to recent reports, one cyberattack on a global scale could cause damage totaling as much as $193 billion. Only about 15 percent of that amount is insured. Some are predicting that by 2024, cyberattacks could cost more than $5 trillion.
As Merck illustrates, the impact on the insurance industry of cyberattacks is exceedingly difficult to determine. Insurers have thus far only issued a limited number of cyber policies. The real concern is with the much larger number of property and casualty policies and the impact on this type of coverage from cyberattacks. Property and casualty coverage amounts to about $620 billion. The industry is focusing now on the language in property and casualty policies to make clear whether a cyberattack is covered or not to reduce their exposure to unforeseen risks.
About Insurance Relief: Insurance Recruiting Specialists
Insurance Relief has earned high approval ratings from job candidates and clients alike, along with awards as one of the best insurance staffing agencies in the industry. We can supply your company with the qualified, reliable professionals you need. Give Insurance Relief a call today!