Cyber Insurance Gap May Leave Merck Hanging After NotPetya

During the summer of 2017, pharmaceutical giant Merck was one of countless companies, around the world hit by the most devastating cyber-attack in history: NotPetya. Initially masquerading as ransomware, NotPetya turned out to be far worse: a strain of malware designed to destroy systems rather than hold them hostage. The toll NotPetya inflicted on Merck was devastating. As many as 30,000 laptops and desktops were taken off line as were 7,500 servers. One employee estimated losing 15 years of work as a result of the attack. Another estimated that, for two weeks, operations completely stopped as cleanup efforts raced on.

Merck totaled up the costs connected to NotPetya to $1.3 billion – an astronomical amount, but at least the company had a sizeable cyber security insurance plan to fall back on. Its insurers, however, saw things differently. Many of its insurers rejected Merck’s claims on the grounds that the cyber-attack wasn’t covered after all. Their reason? The insurers claimed NotPetya was an act of war and thus outside the scope of Merck’s coverage.  

GRU, Russian’s military intelligence agency, was credited with unleashing NotPetya as yet another weapon in that country’s ongoing conflict with Ukraine. The malware nearly decimated Ukraine’s technological infrastructure, wiping out an estimated 10% of computers across the entire country. Insurers believe organizations like Merck – which saw NotPetya enter its system through a server in the company’s Ukraine branch – as simply getting caught in the crossfire.  

Merck has taken its case to court but may be in for an uphill fight. The White House has publicly linked NotPetya directly to Russia’s destabilization efforts in Ukraine, potentially putting insurers on solid legal ground and leaving Merck – and others in the same boat – hanging. 

What to consider before buying cyber insurance

Analysts have great expectations for the cyber security insurance industry over the coming years, although they can’t quite agree on just how great. In a recent story, Tech Republic quoted research that predicts gross written premiums for cyber security insurance totaling just under $8 billion by 2020. Elsewhere on the Internet, Adroit Market Research claims premiums will total $23 billion by 2025. How much or how quickly the industry is going to grow is beside the point, which is that – given the omnipresence of cyber security incidents – it will grow. As more organizations invest in cyber security insurance, here are a few things to remember when trying to pick the right plan.

• Cyber security insurance shouldn’t replace cyber security solutions. Preventing attacks is always the best policy even with a safety net like insurance in place. Insurance, after all, can’t repair the reputational damage incurred during a data breach. Furthermore, insurers will likely take a hard look at an organization’s cyber security posture following an attack in search of weak points that might allow them to avoid paying up.            
• Get perspectives from outside IT. Cyber security isn’t an IT-only concern and the same goes for cyber security insurance. For example, Legal might be able to red flag coverage gaps – like, potentially, an “act of war” exemption. Other teams can spot other shortfalls specific to their areas that could prevent an organization from receiving the insurance benefits it needs, when it needs them most.  
• Put together a checklist of ‘must-haves’. The ideal policy is going to vary from company to company. However, the Delaware Business Times shared a list of core items that the majority of those in the market for cyber security insurance will want. This includes covering internal and external loses and costs associated with: legal representation, forensic investigation, PR, business disruption, “make-good” services like credit monitoring, and regulatory fines.  
• Decide how much coverage is needed. It seems that organizations increasingly don’t want to get stuck without cyber insurance. They also don’t want to get stuck paying for more coverage than they will need. It’s a balancing act, one that can be achieved through internal risk assessments as well as by enlisting the help of outsiders with experience in the field.  

Next Steps: Prepare for whatever cyber criminals throw your way      

As cyber attacks become part of the cost of doing business, it seems so too may cyber security insurance. It’s not just a topic for enterprise-sized organizations. Nor does it take a global cyber crises engineered by a foreign power like NotPetya to put a company out of business. Garden variety ransomware can have cataclysmic repercussions for organizations of any size. And this subject will only get more complicated as current regulations expand and new ones are rolled out. 

Want to talk more about this topic and what your organization can do to successfully navigate today’s ever-changing threat landscape? Start a conversation with our Cyber Security team now by visiting: https://www.arrayasolutions.com//contact-us/.

We want to know what you think of this post! Leave us a comment on this or any of our blog posts through social media. Look for us on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and unique technology learning opportunities.